Ransomware, Privacy

Australians’ prescription records breached in large-scale ransomware attack

White pills spilled out of a orange pill bottle

Australia’s federal government is overseeing the response to a “large-scale” ransomware attack against MediSecure, a company that processed tens of millions of e-prescriptions for the nation’s citizens.

Click for more special coverage

While authorities and the company have acknowledged personal and health information was impacted, it is unclear how many records were breached, or who was responsible.

The country’s national cybersecurity coordinator, Lt. Gen. Michelle McGuinness, said in a statement she was managing the incident “working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response.”

The Australian Federal Police were investigating the attack and the Australian Cyber Security Centre, part of the country’s Signals Directorate, were aware of the incident, McGuinness added.

MediSecure took its website offline after discovering the breach. “While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors,” the company said.

Until last year, MediSecure was one of two medical technology companies contracted to provide e-script services across Australia’s public pharmaceutical prescription service. MediSecure lost the contract to another provider in late 2023 but continues to offer similar services to healthcare organizations in the private sector.

Since 2020, more than 200 million prescriptions had been processed by the country’s e-script providers, including MediSecure.

In an incident update, McGuinness said it appeared no current e-scripts were impacted by the breach.

“On the basis of technical advice from MediSecure to date, the original compromise has been isolated and there is no evidence to suggest an increased cyber threat to the medical sector,” she said.

No ransomware group appears to have claimed responsibility for the attack.

Javvad Malik, lead security awareness advocate at KnowBe4, said the incident was a reminder of the importance of robust cybersecurity measures within the healthcare sector.

“This breach not only disrupts the service provider's operations but potentially exposes sensitive patient data, a scenario that could have far-reaching impacts on individuals' privacy and trust in digital health services,” he said.

“The lack of a claim of responsibility at this stage does little to mitigate the potential harm. It underscores a crucial point: entities, especially in sectors as sensitive as healthcare, must remain vigilant, adopting a proactive stance towards cybersecurity to defend against such threats.”

In late 2022, a ransomware attack on Medibank, Australia’s largest private health insurance provider, exposed the personal of about 9.7 million customers.

The breach resulted in the company being subjected to increased government oversight, amidst hopes wider lessons would be learned to help improve cybersecurity across the country’s healthcare sector.

Earlier this year the U.S. and UK sanctioned Russian national Alexander Ermakov for his involvement in the Medibank attack.

KnowBe4’s Malik said the latest MediSecure breach was a sobering reminder that cybersecurity was not just an IT issue, but also a patient safety issue.

“As the investigation unfolds, it will be pivotal for MediSecure and similar organizations to not only address the immediate breach but to reassess and fortify their security posture and create a strong security culture to prevent future incidents,” he said.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.