MediSecure reveals 12.9 million Australians had personal data stolen in cyber attack earlier this year

eScript provider MediSecure has revealed the personal data of 12.9 million Australians was stolen by hackers earlier this year, making it one of the largest cyber breaches in Australian history.

MediSecure, which facilitates electronic prescriptions and dispensing, confirmed it was the victim of a large-scale data breach in May.

The company had previously not disclosed how many Australians were affected but confirmed the data was taken from its systems up until November last year.

MediSecure went into voluntary administration in June after the federal government declined to provide it with a financial bailout.

A sample of the data has since been published on the darkweb, but the ABC understands there is no indication the larger trove has been publicly released.

In a statement released late Thursday afternoon, MediSecure gave details about the kinds of data stolen including full names, phone numbers, dates of birth, home addresses, Medicare numbers, and Medicare card expiry dates.

The 6.5 terabytes of data also included which medications people were prescribed, the name of the drug, its strength, quantity, repeats, the reason for their prescription, and instructions for taking the medication.

The company folded in June this year, a month after the breach was first announced, with a different company, eRx, now the sole provider of electronic prescriptions to Australians.

National Cyber Security Coordinator Lieutenant General Michelle McGuinness released a statement on X.

"There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions," Lieutenant General McGuinness said.

Lieutenant General McGuinness, who was appointed to the coordinator role in February, said Australians should not go looking for the dataset online.

"I understand many Australians will be concerned about the scale of this breach," she said.

"This activity only feeds the business model of cyber criminals and can be a criminal offence."

Australians are being told to watch out for scams referencing the MediSecure data breach, and not to respond to unsolicited contact that mentions the incident.

"If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently."

Original story link https://www.abc.net.au/news/2024-07-18/medisecure-data-cyber-hack-12-million/104112736

Story by Ange Lavoipierre