An Australian healthcare information service which provides electronic prescriptions and a prescription monitoring service has become the latest victim of a large-scale data breach that has sent shockwaves across the nation.
The attack on MediSecure, which the company claims came from a third-party service, is being dealt with at the highest levels of government including the Australian Federal Police, the Australian Signals Directorate and the Australian Cyber Security Centre.
It also brought major concern to medical bodies and the Australian Medical Association, which said it was seeking urgent meetings with officials to understand who might be impacted.
MediSecure claims it is the only Australian electronic prescription service to be accredited by national eHealth infrastructure and the Personally Controlled Electronic Health Record service. It also provides software for healthcare providers to use while providing services.
MediSecure confirmed in a statement dated May 13 that a breach had taken place and that it was working with federal agencies including the Office of the Australian Information Commissioner on a response.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems,” the statement said.
“While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.
“MediSecure takes its legal and ethical obligations seriously and appreciates this information will be of concern. MediSecure is actively assisting the Australian Digital Health Agency and the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.”
The AMA said it was “critical” that the public sees “clear and consistent” communication about the breach and what information has been accessed.
“The AMA has already been in contact with officials seeking urgent briefings to understand what has happened,” a spokeswoman told The Australian.
“There needs to be a thorough and transparent investigation, backed by clear and consistent communication to the public and profession. These are critical to maintaining community trust in the electronic systems that are now integral to the functioning of our health system.”
MediSecure, which is yet to speak with the media, identified itself as the victim of the breach on Thursday at about 2pm.
Its phone lines and website were down most of the day before it added the statement to its website.
“MediSecure understands the importance of transparency and will provide further updates as soon as more information becomes available. We appreciate your patience and understanding during this time,” it read.
The organisation named itself despite attempts by the Australian Signals Directorate and Australian Cyber Security Centre to keep the name out of the public domain.
Cyber Security Minister Clare O’Neil had also attempted to shut down conversations about the impacted organisation on social media.
“I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today,” she said.
“Updates will be provided in due course. Speculation at this stage risks undermining significant work underway to support the company’s response.”
When The Australian contacted the Department of Home Affairs for further information around midday on Thursday, the department said it was unable to share further information.
National Cyber Security Coordinator Michelle McGuinness said she was made aware of the incident on Wednesday afternoon, and she had convened several agencies to investigate what had happened.
“Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident,” LtGen McGuinness said in a statement on Thursday.
“I am working with agencies across the Australian Government, states and territories to co-ordinate a whole-of-government response to this incident. The Australian Signals Directorate, Australian Cyber Security Centre, and the Australian Federal Police are aware of the incident and are investigating.
“We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.”
Online, MediSecure advertises itself as an electronic prescription service that “gives doctors and pharmacists the certainty of clinical integrity and data security and can help reduce errors in the prescribing and dispensing of medicines.”
The attack comes as industry experts criticised the Albanese government’s lack of cyber security investment in the federal budget on Tuesday night.
Chris Sharp, Asia Pacific chief executive of cloud marketplace Pax8, said a lack of attention to cyber defences “sleepwalks over the financial challenges of our small to medium businesses.”
The amount of sensitive data held by healthcare organisations jumped 63 per cent in 2023, according to a recent report by US cloud software service Rubrik, which found on average health organisations have 42 million sensitive data records.
Meanwhile, Matt Boon, a senior research director at ADAPT, said the incident would likely encourage further scrutiny of third-party software services.
“Given a full 40 per cent of cybersecurity leaders already consider the cyber risks presented by their software supply chain as ‘severe,’ this attack will again drive home the need for companies to seriously assess their network of third-party providers — we need to be asking harder questions of them and their ability to secure customer information,” he said.