MediSecure, an eScript and secure messaging system, has gone into voluntary administration following a cyber attack that compromised the prescription data of some 12.9 million individuals.
MediSecure served as one of two eScript services that distributed prescriptions, delivering them from prescribers to a pharmacy of the patient’s choice.
Two months ago, the company announced it had been the victim of a ransomware attack, although the hack itself took place earlier and continued until November last year.
Yesterday, MediSecure released a statement explaining the company was forced into administration and liquidation by the cost of dealing with the attack, and that “MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set”.
Some 6.5 terabytes of data stolen
MediSecure has little interest in investigating the cyber breach further, with neither the financial resources nor incentives to continue haemorrhaging funds.
The company lost its main source of income last year when the Australian Government gave exclusive tender for eScript services to Fred IT Group’s eRx Script Exchange, which has been unaffected by the data hack.
MediSecure’s statement did detail what kind of data was taken, including names, email and physical addresses, phone numbers, Medicare numbers and expiry and prescription medications, including name, strength and reason for prescription.
Credit card details were not part of the data set stolen, and it’s unclear whether the hacked information has been sold on the Dark Web, although it was listed for sale for US$50,000, considered a low price in these black markets.
What should I do if I think my data has been compromised?
Reassuringly, the data released in the hack cannot be used to steal identities on its own. It does increase the likelihood of scams or attacks though, as the more information a threat actor has, the more options they have to do damage.
“You should be alert for scams, including those that reference the MediSecure data breach. We do not recommend responding to unsolicited contact about this matter,” the Home Affairs Department’s statement reads.
“You should also be wary of any unsolicited contact purporting to be a medical or financial service provider seeking payment or banking information.
“Hang up and call back on a phone number you have sourced independently.”
With the raft of data breaches that has made headlines in the last handful of years – Optus, Medibank, ANU, Service NSW – authorities believe most Australians have been exposed in some way, and some of us on multiple occasions.
National Cyber Security Coordinator Lieutenant General McGuinness warned Australians not to go looking for the dataset online in an interview with the ABC.
"I understand many Australians will be concerned about the scale of this breach," she said.
"This activity only feeds the business model of cyber criminals and can be a criminal offence.
"There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions," said Lieutenant General McGuinness.