MediSecure, an Australian company providing electronic prescription services, encountered a ransomware attack that enabled the theft of 6.5TB of data, which included the sensitive information of approximately 12.9 million Australians – about 50% of the population of Australia. This incident is the biggest data breach in Australia in 2024 and is included in the top 5 Australian data breaches in history.
MediSecure discovered the attack on April 13, 2024; but determining the scope of the data breach took time. MediSecure stated it could restore the impacted server using a backup and made attempts to determine the impacted persons and the information affected. That course of action is very time-consuming because the server included a particularly big volume of unstructured and semi-structured information throughout different data sets.
The information in the backup belonged to those who made use of MediSecure’s prescription delivery service from March 2019 to November 2023, including names, contact details, Medicare and concession card data, and prescription details. During the ransomware attack, MediSecure failed to have any access to the prescription and dispensing of doctor-prescribed drugs.
MediSecure contacted the administration after the attack, and the administrators reported that the precise number of people impacted and specific information involved might never be identified, because it isn’t practicable to precisely determine the affected people and the specific data that was breached in the cyberattack.
Because MediSecure went into administration, inadequate resources are accessible to enable the public to inquire regarding whether their information was exposed and MediSecure cannot pay for the cost. MediSecure tried to obtain a bailout from the Australian government to enable it to continue operations, however, the request was rejected.
Some stolen information was published on the dark web by the group responsible for the attack. Cyber threat experts think the stolen information was already sold. The stolen information was at first posted with a cost of $50,000 and now the listing says the information was sold. The same data was allegedly relisted by the buyer and offered at the discounted price of $25,000. The Australian National Cyber Security Coordinator has released an alert to all the impacted people concerning the risk of scams and inappropriate use of their information.
Because of the increasing incidence of cyberattacks, healthcare providers need to provide equip employees on protecting the privacy of individuals like giving training on the Privacy Act of 1988 in Australia, the counterpart of HIPAA training in the U.S.
