The 12.9 million Australians caught up in the hack on electronic prescriptions provider MediSecure may never be told their personal information has been compromised, with the prime minister saying on Friday he wasn’t aware if he was one of the victims.
On Thursday evening, the administrators for MediSecure – which went into administration after the hack – revealed 6.5TB of data had been compromised after a ransomware attack on a database server, which was discovered by the company in April.
MediSecure restored a backup of the server and determined that the information taken included contact information, Medicare and concession card information, and prescription information for the 12.9 million Australians who used MediSecure for prescription delivery between March 2019 and November 2023.
Those affected may never find out their information was taken as MediSecure has said the dataset is complex and it is “not practicable to specifically identify all individuals and their information impacted by the incident without incurring substantial cost that MediSecure was not in a financial position to meet”.
The administrators also said MediSecure had no resources for the public to contact them to see if they’re affected by the incident.
The office of the home affairs minister, Clare O’Neil, did not comment on whether the government would step in to advise those affected. Prior to going into administration, the company had sought a bailout from the federal government to keep operating but that request was denied.
A sample of the data was posted on the dark web, however the national cybersecurity coordinator, Lt Gen Michelle McGuinness, advised the public not to go searching for the data as it only feeds the cybercriminal business model and may be a criminal offence.
“I understand many Australians will be concerned about the scale of this breach. I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams,” McGuinness said in a post on X. “Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure.”
On Friday the prime minister, Anthony Albanese, said the hack was still under investigation by the Australian federal police and he was “not aware” if he was one of the 12.9m caught up in the breach. He said it was a “very significant cyber event”.
“I understand many Australians will be very concerned about this data breach that affects up to half of the Australian population,” he said.
“It is not the first and it won’t be the last. It is something that we are very conscious of as a government and we are working with the private sector, as well as with our agencies, because these issues can be an issue of national security but they can be an issue as well of the privacy of individuals.”
MediSecure was one of two electronic prescription services operating in Australia until late 2023, when the Australian government awarded the service exclusively to another company, Fred IT Group’s eRx Script Exchange. eRx is not affected by this attack.