The electronic prescriptions provider MediSecure has revealed 12.9 million people, or almost half of the whole country, had their personal and health data stolen by hackers earlier this year in one of the biggest breaches in Australian history.
On April 14 MediSecure, which facilitates electronic prescriptions and dispensing, became aware a database server had been encrypted by suspected ransomware.
The company had previously not said how many people had been affected by the breach, but on Thursday the provider’s administrators released an update revealing millions of Australians have had their data stolen, though the company could not identify exactly who has been affected.
“MediSecure can confirm that approximately 12.9 million Australians are impacted by this incident based on individuals’ healthcare identifiers,” administrators FTI Consulting said in a statement.
“However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.”
The company said the data included details such as full names, phone numbers, home addresses, Medicare numbers and the medications people were prescribed.
In total, 6.5 terabytes of data were taken by hackers, which is the equivalent of billions of pages of text.
“This made it not practicable to specifically identify all individuals and their information impacted by the incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the administrators said.
“The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor, however, the encrypted server could not be examined to ascertain the information specifically accessed.”
The National Cyber Security coordinator lieutenant general, Michelle McGuinness, said in a statement that there was no effect on prescriptions.
“People should keep accessing their medications and filling their prescriptions,” McGuinness said.
McGuinness said the government did not believe the full data set had been published on the dark web and warned against people going looking for it.
“I understand many Australians will be concerned about the scale of this breach,” she said. “This activity only feeds the business model of cyber criminals and can be a criminal offence.”
McGuinness also warned people against scammers who may use their data to contact them.
“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently.”
MediSecure was one of two ePrescription services until late 2023, when the Australian government awarded the service exclusively to another company, Fred IT Group’s eRx Script Exchange.
MediSecure appointed liquidators and went into administration in June and is not part of Australia’s digital health network.
The national prescription delivery service, eRx, is not affected by this cyber incident, the government confirmed.