MediSecure, an electronic prescriptions provider, suffered a data breach that compromised people’s health data. The Australian Federal Police have investigated and reported the breach to Australia’s National Cyber Security Coordinator.
In 2023, MediSecure was not selected in a government tender process, but despite this, MediSecure secured over 28 million scripts.
Lt Gen Michelle McGuinness, the national cyber security coordinator, stated the government was still “working to build a picture of the size and nature of the data that MediSecure’s data breach has impacted.”
Furthermore, Lt Gen Michelle McGuinness also stated, “This discovery work often takes time, and I understand Australians are anxious about the possibility of their personal information being affected.”
According to MediSecure, the compromise was “isolated.” McGuinness said the agency is investigating whether identity documents may have been accessed, but Services Australia, as well as states and territories, were working with the coordinator.
MediSecure did not reveal how many people were impacted by MediSecure’s data breach but said it would provide further information on its website “as soon as more details become available.” The company has been working with Oz’s National Cyber Security Coordinator to address the effect of the cybersecurity incident. It has also notified the regulatory agencies, including the Office of the Australian Information Commissioner. This cybersecurity incident sheds light on the vulnerability of health data.
MediSecure operated as one of two nationwide electronic prescription service providers until 2023 that dispensed prescriptions from healthcare providers to pharmacies.
According to Sophos’ report on ransomware in Australia in 2024, out of 330 Australian cybersecurity and IT leaders surveyed, 54% said their organization had experienced a ransomware attack. That’s a decrease from 70% last year (2023) and 80% the year before (2022). According to Sophos, the average ransom paid in 2024 was $9m, a whopping 297% increase on last year’s average.
The health department switched to eRx last year in a four-year, nearly $100m contract with Fred IT Group, and healthcare providers and pharmacies transitioned from MediSecure. MediSecure continues to supply prescription services to third-party providers.
Data thieves understand that this means that the victim organizations are more likely to accept a ransom demand — as demonstrated by the large-scale Change Healthcare attack in the United States, where the company paid $22 million to the criminals. Despite spending the ransom demand, more ransomware reportedly began leaking sensitive data and blackmailing the company for more money.
The healthcare industry heavily relies on digital solutions to enhance service quality and reduce costs. However, this reliance often precedes the implementation of robust cybersecurity measures.
