Approximately 12.9 million Australians had their personal and health information stolen during a data breach involving MediSecure, the defunct electronic prescriptions company has confirmed.

The figure means almost half of the Australian population was likely impacted by the breach of scripts distributed by MediSecure up until November 2023, making it one of the largest cyber breaches in the county’s history.

MediSecure has confirmed around 6.5TB of data appeared to have been compromised, including individuals’ names, dates of birth, email addresses, postal addresses, phone numbers, healthcare identifier numbers, Medicare and concession card numbers, medication details, and the reasons for their prescriptions.

The company, which went into administration in June just weeks after confirming it was the victim of a cyber attack, said it was "unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set”.

MediSecure said the time needed to analyse and reorganise the data to identify specific individuals and their impacted information would have been a “substantial cost”, which it could not afford.

The company had asked the federal government for a bailout in May, but the request was denied.

MediSecure said that due to its financial position, it also could not respond to phone calls or emails from people who believed they may be affectedby the incident.

The company said it discovered in April that one of its servers had been encrypted by suspected ransomware, which locks up data so that perpetrators can demand ransom payments from victims.

MediSecure’s investigation found data stored on the server “was likely exfiltrated by a malicious third-party actor”.

An alleged sample of the data appeared for sale on a popular Russian-language hacking forum in May, with the entire dataset listed for sale at $50,000 — although it is unclear if it was ever purchased.

MediSecure said it had now finished its investigation of the cyber breach, but the incident remained under investigation by the Australian Federal Police.

MediSecure’s liquidator FTI Consulting said it would “continue to work with MediSecure’s advisers and liaise with the Australian government in respect to the incident”.

The federal government said there was "no impact to the current national prescription delivery service”, which is run by Fred IT Group’s eRx Script Exchange (eRx).

‘Be alert to scams’

Australia’s National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, said the government had not yet seen any publication of the full data set, but Australians should be wary of a potential increase in scams.

“No one should go looking for or access stolen sensitive or personal information from the dark web,” she said in a statement.

“This activity only feeds the business model of cyber criminals and can be a criminal offence.

“I understand many Australians will be concerned about the scale of this breach.

“I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams.

“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure.

“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.”

McGuinness also encouraged Australians to set up multi-factor authentication on their online accounts, use strong and unique passwords, and install software updates.

The Department of Home Affairs said concession and Medicare card accounts could not be accessed with card numbers alone.

Anyone who believes their information has been misused as a result of the MediSecure breach can report it through the government’s ReportCyber site.

‘Legislation lags cyber actors’

Australian Privacy Commissioner Carly Kind said the scale of the personal information involved in the MediSecure breach showed legislative changes were needed.

She said it was also a reminder that organisations needed to “make protecting individuals’ personal information a top priority".

“The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyber actors,” Kind said.

“Reform of the Privacy Act is urgent to ensure all Australian organisations build the highest levels of security into their operations and the community’s personal information is protected to the maximum extent possible.”

The federal government committed to only a handful of recommendations from a Privacy Act review in 2023.

Kind’s office, the Office of the Australian Information Commissioner (OAIC), is taking health insurer Medibank to court over its 2022 cyber breach, which saw the personal information of 9.7 million current and former customers exposed to hackers.

Update 23/07/24: The alleged threat actor(s) behind the MediSecure breach claim to have sold the stolen data. Information Age has been unable to independently verify their claim.