MediSecure,which provides electronic prescription services to healthcare professionals, which the Australian Federal Police are now investigating.
A week later,a member of a Russian hacking forum has claimed to be in possession of 6.5 terabytes of data,with personal information,including insurance numbers,names and addresses of thousands of Australians,up for grabs.
A screenshot of the apparent MediSecure leak on a Russian hacking forum.Supplied.
“For sale:Database of an Australian medical prescriptions company MedSecure[sic],” the post reads.
“Includes information on citizens,insurance numbers,phone numbers,addresses,full names,supplier information,contractor information,emails,user+passwords for MedSecure website,prescription information (who was prescribed what),IP addresses of visitors to the site and etc.”
The forum member said they would only sell the information to one buyer.
Australia’s national cybersecurity coordinator,Lieutenant General Michelle McGuinness,is working with federal government agencies and states and territories to respond to the incident. The Australian information commissioner is also investigating whether MediSecure complied with federal laws requiring companies to notify authorities when they become aware of a data breach.
Cybersecurity analyst group CyberKnow said their research indicated the forum post was likely legitimate.
“The threat actor created their account on May 15,2024,and may well have created it for the sole purpose of attempting to sell the stolen MediSecure data. They have not posted anything else to the forum,” CyberKnow said in a statement.
“A good takeaway for Australians from this incident is to appreciate that the cyberthreat landscape is diverse,and groups and actors can impact businesses regardless of their capability,organisation or structure.”
MediSecure was contacted for comment,as was the office of federal Cybersecurity Minister Clare O’Neil.
“The cybersecurity incident relates to data held by MediSecure’s systems up until November 2023,” the company said last Saturday.
‘Continual challenges’
Earlier this week,Australian Privacy Commissioner Carly Kind said the MediSecure hack had again highlighted deficiencies in how organisations collect and protect customer data.
“While this situation is ongoing,any major data breach reinforces the reality of today’s world:there are increasing cyberthreats and continual challenges to digital defences,” she said on Tuesday.
Privacy Commissioner Carly Kind.Nine
“Protecting individuals’ personal information should be a top priority for all organisations,which should continually review and improve their practices and take control where they can. Only collect information that is necessary for you to carry out your business. Know what information you hold. And if that information is not necessary to your business,delete it.
“The coverage of Australia’s privacy legislation lags behind the advancing skills of malicious cyberactors. Reform of the Privacy Act is urgent to ensure all Australian organisations build the highest levels of security into their operations”,Kind said.
The Market Recap newsletter is a wrap of the day’s trading..