Droves of personal information and prescription details from the MediSecure breach have allegedly appeared for sale on a popular Russian-language hacking forum.

Earlier this month, Australian e-script provider MediSecure – which operated as a nationwide prescription delivery service until late 2023 – made national news after it announced an undisclosed amount of private data and prescription-related details had been caught up in a major data breach.

Now, a hacking forum member going by the handle ‘Ansgar’ claims to be in possession of 6.5 terabytes of Australians’ data.

“For Sale: Database of an Australian medical prescriptions company MedSecure [sic],” wrote Ansgar.

“Price: $50,000… selling only to one buyer.”

The threat actor claims the stolen database contains personal information – such as phone numbers, addresses, email address and full names – alongside insurance numbers and sensitive information about prescriptions.

As evidence of the purportedly stolen data, Ansgar has posted screenshots containing a range of prescription details alongside the details of Australian pharmacies.

Furthermore, Ansgar’s listing also claims to include usernames and passwords for the MediSecure website alongside “IP addresses of visitors to the site and etc.”.

The alleged 6.5 terabytes of data – some 6.3 terabytes larger than the amount reported in the 2022 data breach at Medibank – is made up of 50 million rows of data, though it is unknown how many Australians have been individually exposed.

The National Cyber Security Coordinator (NCSC) addressed this “unwelcome development” in a Saturday LinkedIn post, urging Australians not to go looking for the data and assuring those affected the government will work with MediSecure to make sure “individuals are appropriately informed”.

“We are aware a dataset purporting to be from the MediSecure breach has been advertised for sale on a dark web marketplace, along with a sample of the data,” said NCSC.

“Australians should not go looking for this data.

“Accessing stolen sensitive or personal information on the dark web only feeds the business model of cyber criminals.”

The breach is also believed to have impacted the personal information of healthcare providers – such as practitioners and pharmacists – though NCSC currently believes only a “relatively small group” has been affected.

Leak appears legitimate

While NCSC was hesitant to substantiate Ansgar’s proclaimed leak – stating government is working with MediSecure to verify the data – a statement from MediSecure confirmed both personal and health information appeared in the data set.

“MediSecure is aware that a data set containing the personal information and limited health information of our customers has been made available on a dark web forum,” wrote MediSecure.

“While MediSecure is urgently working towards notifying the impacted individuals, we wish to reiterate and reassure the Australian community that this cyber security incident does not impact any ongoing access to medication.”

Furthermore, cyber security analyst CyberKnow found mention of a former MediSecure employee among the Angsar’s listing which, alongside the formatting of the purportedly stolen pharmaceutical data, suggests the leaked data is legitimate.

“This makes it highly likely that the threat actor does indeed have the MediSecure data and is looking to sell it,” wrote CyberKnow.

More attacks, less effort

As opposed to recent data breaches at the likes of Medibank, DP World, and Aussizz Group – which are all believed to involve prominent ransom gangs backed by sophisticated infrastructure – CyberKnow suggested the MediSecure leak may have been performed by a smaller threat actor with no backing infrastructure.

CyberKnow arrived at this conclusion after noticing Ansgar’s forum account was created around the same time the incident occurred, and the leak itself appeared on a hacking forum rather than a ransom gang’s dedicated leak site.

“A good take-away for Australians from this incident is to appreciate that the cyber threat landscape is diverse, and groups and actors can impact businesses regardless of their capability, organisation or structure,” wrote CyberKnow.

MediSecure’s data breach is but the latest in a string of cascading cyber incidents rocking Australia’s healthcare sector.

Recent findings from the Office of the Australian Information Commissioner showed a significant increase in data breaches involving health service providers during 2023 – going from 63 notifications received in the first half of the year to 104 in the latter half.

Mark Jones, senior partner at Thales Australia cyber security company Tesserent, warned healthcare organisation need to be extra vigilant in consideration of recent events.

“Once again, it is evident that the healthcare sector is a prime target for those seeking access to personal information,” said Jones.

“Threat actors are continuously finding ways to compromise the personal data of Australians.

“This information can be pieced together to construct detailed medical histories, potentially causing significant impacts on individuals.

"We recommend healthcare organisations evaluate and strengthen their cyber security incident resilience and review and update incident response plans and playbooks.”