Data of 13 million MediSecure customers compromised in ransomware attack

Approximately 12.9 million Australians using the MediSecure prescription delivery service suffered a loss of personal information from an April ransomware attack, MediSecure said in a statement.

The electronic prescription provider said it has now ceased its investigations of the incident that led it to temporarily shut down its website and phone lines in May.

“MediSecure wishes to inform the public that the personal and sensitive information, including contact and health information, of approximately 12.9 million (users) during the approximate period of March 2019 to November 2023, was contained within MediSecure data stolen by a malicious third-party actor,” the company said.

Australian National Cyber Security Coordinator (NCSC) called it a “large-scale ransomware data breach” at the time and said the Australian Federal Police were investigating the incident in collaboration with the Australian Cybersecurity Center.

Sensitive Personal and health data compromised

An early forensic investigation by the company into the relevant impact of the incident indicated that 6.5TB of data stored on a database server was likely exfiltrated by a malicious third-party actor, although, encrypted servers couldn’t be examined for further details.

The company, however, now has reports from an additional analysis that confirmed the impacted data included personal information including full names, titles, dates of birth, gender addresses, email addresses, phone numbers, and individual healthcare identifiers (IHI).

More sensitive information that could be used in frauds and identity thefts included Medicare card numbers (including individual identifier and expiry), Pensioner Concession card number and expiry, Commonwealth Seniors card number and expiry, Healthcare Concession card number and expiry, Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry.

Sensitive individual health data included prescription medication, including the name of the drug, strength, quantity, and the reason for prescription and instructions.

“The types of information impacted may increase the likelihood of Australians being targeted by phishing, identity-related crime, and cyber scam activities,” the company added.

Caution advised to MediSecure users

Due to the complexity of the data involved, the company said it has been unable to identify the specific impacted individuals “despite making all reasonable efforts”. The incident is currently being investigated under the banner Aquila, a collaborative operation established by the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) in November 2022.

The company said it was able to successfully restore backup of the encrypted servers on May 17, 2024, and has since initiated the investigation of the impacted information, which it has now decided to cease. The statement directed users to a dedicated webpage by the NCSC for further information and steps.

“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure,” the NCSC said in an X post. “If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.”

The company is currently underfunded and had contacted the Australian Government for support which was later denied. “Due to MediSecure’s financial position, it cannot include contact details in this statement as resources are not available to respond to phone calls or email inquiries by individuals that may be impacted by the Incident,” MediSecure said.

Ransomware has picked up in the healthcare segment owing to the sensitivity of the data involved. Earlier this year, Change Healthcare, a subsidiary of UnitedHealth Group, paid nearly $22 million in ransom to the BlackCat (AlphV) ransomware group. The same attack that affected Change Healthcare cost UnitedHealth Group around $870 million in total.