Online prescription provider MediSecure has been the target of a ‘large-scale ransomware’ data breach, according to a statement released by the company, which says the attack impacts the personal and health information of individuals.
The company has reported the breach originated from one of its third-party vendors, and said it is working with the National Cyber Security Coordinator, Michelle McGuinness, to manage the impacts of the incident.
In a statement on X (Formerly Twitter) McGuinness said, “We are still working to build a picture of the size and nature of the data that has been impacted by this data breach impacting MediSecure.
“From the information that is currently available to the Government, no current ePrescriptions have been impacted or accessed. The Department of Health has confirmed there has been no impact to the ePrescription services currently in use.”
Companies that handle large volumes of personal data, such as Medibank and Optus which have seen breaches in recent years, are increasingly becoming an attractive target for cybercriminals, Dr James Scheibner from Flinders University in South Australia told the AusSMC.
“As with the Medibank data breach in 2022, the MediSecure attack demonstrates that organisations which handle large quantities of sensitive information are prime targets for cybercriminals,” he says.
“Prescription information is highly sensitive and if released can cause significant distress and harm to those caught in the attack.”
While the scale and impact of the MediSecure breach is currently unknown, cyber security expert Professor Matthew Warren from RMIT University in Victoria says although the company has been operating since 2009, the impact might be limited to old, existing patients, as MediSecure is no longer used for new scripts.
“In November last year, it stopped being used for new scripts after the government’s publicly funded national prescription delivery service began However, it was kept online to preserve existing scripts issued through its service.”
The Government’s new approach to cyber security incident handling shows a new energy, he added.
Research associate Joel Lisk also from Flinders University, agreed, saying the coordination reflects the learnings of the Australian Government in the aftermath of other recent large-scale data breaches.
“With the data subject of the ransomware attack being sensitive health information, it is good to see rapid action by MediSecure, the Australian Digital Health Agency, National Cyber Security Coordinator and enforcement agencies to cooperatively address the breach.”
McGuinness noted in her statement that the original compromise has been isolated, and there is no evidence to suggest an increased cyber threat to the medical sector. However, experts say the breach is a timely reminder to all organisations which hold personal information to review their cyber security practices.
Professor Nigel Phair from Monash University in Victoria says all organisations should ensure they are only collecting, storing and using the bare minimum required.
“We have learnt from other major cyber attacks against Australian organisations which hold the personal identities of Australians that the after effects are major and ongoing. There is nothing more serious nor sensitive than having health data exposed,” he said.
The use of third party systems must also be carefully considered, Lisk says.
“This is an important reminder that while an organisation might take steps to protect personal information it holds, its service providers and those external third parties that can access that information need to adhere to and implement those security measures,” he says.
“Third parties with access can be the weak link in an otherwise strong cyber security system.”
On an individual level, it is difficult to know what can be done until specific details on the MediSecure breach have been released.
But Associate Professor Paul Haskell-Dowland says the public still must be vigilant in the wake of this breach, as it may encourage opportunist scammers to take advantage of the current situation.
“Users of their service should be cautious of any communications purporting to be from the organisation,” Haskell-Dowland says.
“We are also likely to see scams that use the story as a ‘hook’ to target victims (not necessarily just the cyber criminals involved in the ransomware incident).”
“Never click on links in unsolicited emails or SMS messages and independently validate the legitimacy of calls.”
Read the full AusSMC Expert Reaction.