MediSecure breach latest in trend of healthcare hacks

By Dan Holmes

May 19, 2024

Clare O'Neil
Minister for Home Affairs Clare O’Neil. (AAP Image/Mick Tsikas)

Digital script provider MediSecure is the latest company to be involved in a “large scale” data breach, according to Australia’s national cybersecurity coordinator.

MediSecure is a former government contractor that worked on providing Australia’s eScript service. This is now exclusively administered by eRx Script Exchange in November 2023.

A MediSecure database containing prescriptions and healthcare provider information has been affected. eRx data remains secure.

In a statement issued on May 16, MediSecure said it would work with the national cybersecurity coordinator and other relevant agencies.

“MediSecure takes its legal and ethical obligations seriously and appreciates this information will be of concern. MediSecure is actively assisting the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators,” they said.

“MediSecure is not a current participant in Australia’s digital health network. As such, this cyber security incident does not impact the prescribing and dispensing of medication.

“While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.”

One of the challenges of cybersecurity is that any system is only as secure as its weakest point. This is why now the majority of notifiable data breaches are the result of some form of human error.

Recently minted cybersecurity coordinator Michelle McGuinness said there was no evidence the breach had made it from MediSecure’s systems into the wider healthcare network.

“On the basis of technical advice from MediSecure to date, the original compromise has been isolated and there is no evidence to suggest an increased cyber threat to the medical sector,” she said.

“We are looking closely at any evidence about whether identity documents have been compromised in the breach, and are working with MediSecure, Services Australia, and state and territory credential issuing bodies to build a full picture of the impacted dataset.

“We have not seen evidence so far to suggest that anyone needs to replace their Medicare card. If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know.”

Cybersecurity has quickly become a matter of concern after breaches at Medibank Private and Optus compromised the personal information of nearly half the country. This has important implications for the government not just in terms of creating secure systems and protecting citizens, but also the additional work and inefficiency created by people who need to replace personal identification documents.

Home Affairs Minister Clare O’Neil has made no secret of the fact this is a priority for her, pushing legislation earlier in the term that would force companies to take more responsibility for the customer data they were keeping. At the release of the 2023 – 2030 cybersecurity strategy, she said she wanted Australia to be the most digitally secure country in the world.

University cybersecurity experts have generally backed the government’s response to the incident but raised concerns about the fact medical and biometric data are being targeted more regularly.

Associate Professor of computing and IT at Melbourne University Toby Murray said this is an international trend.

“Health organisations have increasingly been targeted by ransomware criminals. The Medibank hack was of course the most high-profile such case in Australia previously and set a very strong precedent against paying ransoms, even when highly sensitive information was being published to try to force Medibank to pay,” he said.

“More recently we saw the largest health administrative network in the United States, Change Healthcare, was targeted by ransomware actors. Change Healthcare reported in April that they had paid a $22M ransom.

“The key difference was that the Change Healthcare ransomware attack made their services unavailable for thousands of customers. In contrast, the Medibank hack did not affect service availability.”


READ MORE:

Healthcare could be one of AI’s greatest beneficiaries

About the author
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments