By Rachel Mealey: Nearly 13 million Australians have had their sensitive medical data stolen from an online prescription service, MediSecure, in one of the biggest cyber security breaches in the nation’s history. Hackers managed to steal data about people’s identity, as well as sensitive health information about medical issues, treatment and associated prescriptions. Cyber security experts say the government needs to double down on security of public health records. John Daly reports.
Jon Daly: Nearly half of all Australians’ health records have been the subject of one of the nation’s biggest hacks, targeting eScript provider MediSecure. Names, numbers, addresses, Medicare card details and other sensitive medical information on drug prescriptions, including associated illness, treatment and dosage, have been caught up in this data breach.
Troy Hunt: Look, I think that’s a very personal thing. For me personally, I don’t have any health related issues that would be concerning if they were made public, but many people do. And health data is a sensitive class of personal information that everyone has a reasonable expectation to privacy on.
Jon Daly: That’s Troy Hunt, a web security consultant and creator of a data breach search website called Have I Been Pawned. MediSecure made the public aware it was targeted by a ransomware attack in May, though the breadth has only now been revealed. MediSecure facilitates electronic prescriptions and dispensing, and its systems were compromised by hackers up until November last year. Troy Hunt again.
Troy Hunt: Well, there’s two things that often happen with ransomware now. And one is an attack against availability, which means they encrypt the data. So the data is not available to the operator of the service. And then money is demanded in order to provide a decryption key to get the data back. And the second thing that often happens is an attack against confidentiality. So that is the attackers say, give us money or we’ll start to leak data, which of course is what we saw happen with Medibank a couple of years ago.
Jon Daly: MediSecure went into voluntary administration in June after the federal government declined to provide it with a financial bailout. In a statement released late yesterday, the company explained it was not in a financial position to properly respond and identify individuals affected by the hack. Director of cyber intelligence at Cyber CX, Katherine Mansted, says the company’s financial struggles make matters worse.
Katherine Mansted: By all accounts, by the time this breach happened, MediSecure had lost its main source of revenue, which was a federal government contract. That of course has complicated the response to this incident.
Jon Daly: A sample of the data was published on the dark web following the hack. And a larger trove of data has been listed for sale, but it’s unclear if it’s been sold. Katherine Mansted says it’s impossible for the company or authorities to secure the data before it goes to the highest bidder.
Katherine Mansted: And once the data genie is out of the bottle, it’s impossible to get that data back. So often the focus shifts then to understanding what’s happened and protecting those Australians who may be exposed.
Jon Daly: Katherine Mansted says this raises questions about the cyber security of sensitive data held by government contracted companies.
Katherine Mansted: When it comes to tenders awarded by government, what the appropriate approach is to attach decommissioning, if you were decommissioning for data provisions to those contracts. Data is a toxic asset in many senses if it’s not looked after correctly.
Jon Daly: In a statement on social media, National Cyber Security Coordinator, Lieutenant General Michelle McGuinness reassured Australians that current eScript services are not affected. She also warned people to watch out for scams referencing the MediSecure data breach and not to respond to unsolicited contact mentioning the incident.
Rachel Mealey: John Daly with that report.
