Massive Data Breach Hits 12.9 Million Australians

In one of the largest cyber breaches in Australian history, eScript provider MediSecure has revealed that the personal data of 12.9 million Australians was stolen by hackers earlier this year.

MediSecure, which handles electronic prescriptions and dispensing, confirmed that the breach occurred in May and affected data up to November last year.

The company, which entered voluntary administration in June after the federal government declined to provide a financial bailout, had not previously disclosed the extent of the breach. A sample of the stolen data has since been published on the dark web, but there is currently no indication that the entire trove has been publicly released.

In a statement released late Thursday afternoon, MediSecure detailed the types of data stolen, which include full names, phone numbers, dates of birth, home addresses, Medicare numbers, and Medicare card expiry dates. The 6.5 terabytes of data also included information on prescribed medications, including the name of the drug, its strength, quantity, repeats, the reason for the prescription, and instructions for taking the medication.

Following the breach, MediSecure folded in June, with eRx now the sole provider of electronic prescriptions in Australia.

National Cyber Security Coordinator Lieutenant General Michelle McGuinness reassured the public in a statement on X that there is no impact on the current national prescription delivery service and encouraged people to continue accessing their medications and filling their prescriptions.

"I understand many Australians will be concerned about the scale of this breach," Lieutenant General McGuinness said. "This activity only feeds the business model of cyber criminals and can be a criminal offence."

Australians are being warned to watch out for scams referencing the MediSecure data breach and to avoid responding to unsolicited contacts mentioning the incident.

"If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently," advised Lieutenant General McGuinness.

Here is the statement in full:

This afternoon MediSecure and its administrators have publicly advised that the company has ceased its investigation into the cyber incident that impacted the company earlier this year.

MediSecure advised that the personal and sensitive information, including contact and health information, of approximately 12.9 million Australians was contained within MediSecure data stolen by a malicious third-party actor and the incident remains under investigation by the Australian Federal Police.

Importantly, there continues to be no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions.

MediSecure has issued a public statement on the data breach, which includes an outline of the types of information impacted. This statement can be accessed at http://medisecurenotification.wordpress.com

The Australian Government has refreshed its advice to Australians on what they need to do to protect themselves. This advice can be found at http://homeaffairs.gov.au/cyberincident.

At this time, the Australian Government is not aware of publication of the full data set. No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence.

I understand many Australians will be concerned about the scale of this breach. I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams.

Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure. If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.

We can all take simple steps to protect ourselves online, including setting up multi-factor authentication, creating strong and unique passphrases and installing software updates regularly. More advice on protecting yourself online is available at http://cyber.gov.au.