MediSecure: Millions of Australians had sensitive health information stolen and uploaded to the dark web in one of the largest hacks ever
Earlier this year, hackers stole the personal information of almost 13 million Australians, including their medical records, in one of the largest cyber attacks in the country’s history.
Electronic prescription provider MediSecure announced Thursday that the data of 12.9 million customers had been stolen, an unknown number of which had been uploaded to the dark web.
The company first learned of the breach on April 13, when suspected ransomware was discovered on a server containing sensitive personal and medical data. The attack was publicly confirmed in May.
The 6.5 terabytes of stolen data includes names, dates of birth, addresses, phone numbers, Medicare numbers, prescription information and the reason for taking the medications.
A sample of personal information has been exposed on the dark web, but the company says that due to the complexity of the data and the costs involved, it is unable to identify specific individuals who may have been affected.
The federal government was unaware of the release of the full dataset, Lt. Gen. Michelle McGuinness, National Cyber Security Coordinator, said on X, formerly Twitter.
“No one should have to search for or access stolen sensitive or personal information from the dark web,” Lt. Gen. McGuinness said Thursday.
The personal and medical data of as many as 12.9 million Australians has been stolen by a ‘malicious third party’ and uploaded to the dark web after e-prescription provider MediSecure was hacked (file photo)
“This activity only feeds the cybercriminals’ business model and could be a criminal offense.”
People who search for their information on the dark web are at risk of committing cybercrime if they come across stolen personal information, and could face up to five years in prison for doing so.
“I understand that many Australians are concerned about the scale of this breach. I encourage everyone, whether they have been affected by this incident or not, to be vigilant about scams,” Lt-Gen McGuiness said.
MediSecure was one of two electronic prescription delivery services until the end of 2023. The Australian government awarded the service exclusively to eRx Script Exchange.
The company appointed liquidators in June and went into receivership. The company is not part of Australia’s digital health network.
The government has confirmed that the national prescription delivery service eRx is not affected by this cyber incident.
“Consumers can still access medicines safely and healthcare providers can still prescribe and dispense them in the usual way,” the report said.
The MediSecure breach affected almost half the population, making it one of the largest cyber attacks in Australia.
An attack on Optus in September 2022 affected 10 million users and another attack in October on Medibank affected around 9.7 million people.
People who fall victim to the cyber hack may face an increase in phishing, identity-related crime and cyber fraud.
The National Cyber Security Coordinator urged them to remain alert to scams referring to the MediSecure data breach and not to respond to unsolicited contact referring to the company’s data breach.