EXPERT REACTION: Electronic prescription company MediSecure victim of 'large-scale' data breach

Initial reports indicate that this incident is a ransomware attack that exploited supply-chain vulnerabilities through a third-party vendor. Gone are the days when ransomware attacks merely locked up an organization’s data. Nowadays, cybercriminals employ multiple extortion tactics, including data exfiltration and the threat to release highly sensitive personal information, in order to pressure organizations into paying ransoms.

This incident, along with previous ones and those yet to come, underscores the critical need for all of Australia to bolster our collective cyber resilience capabilities. Each of us has a role to play: we must be well-prepared for what has unfortunately become an inevitability (cyber attacks), minimize our cybersecurity risk exposure, have robust recovery and continuity plans in place, and learn from these incidents to propel our journey toward becoming the most cyber-resilient country by 2030.

It is important to recognise that investigating the impact and causes of these kinds of data breaches can be time consuming. However, previous data breaches have made clear the importance of providing timely updates to affected individuals.”
 
Health organisations have increasingly been targeted by ransomware criminals. The Medibank hack was of course the most high-profile such case in Australia previously and set a very strong precedent against paying ransoms, even when highly sensitive information was being published to try to force Medibank to pay. More recently we saw the largest health administrative network in the United States, Change Healthcare, was targeted by ransomware actors. Change Healthcare reported in April that they had paid a $22M ransom. The key difference was that the Change Healthcare ransomware attack made their services unavailable for thousands of customers. In contrast, the Medibank hack did not affect service availability. This is a crucial distinction. At the moment it is not clear whether this most recent hack against MediSecure affects service availability or not.

With another scam being announced, the Australian public will rightly be concerned over the implications for potential personal information disclosure as a consequence of the MediSecure ransomware incident.  While we are still very early in the investigation process, it is important that the public do not panic and stay vigilant.

It is unclear if data has been exfiltrated (stolen) from MediSecure, but users of their service should be cautious of any communications purporting to be from the organisation.  We are also likely to see scams that use the story as a ‘hook’ to target victims (not necessarily just the cyber criminals involved in the ransomware incident).  Never click on links in unsolicited emails or SMS messages and independently validate the legitimacy of calls (phone back on a published number).

As with the Medibank data breach in 2022, the MediSecure attack demonstrates that organisations which handle large quantities of sensitive information are prime targets for cybercriminals. Prescription information is highly sensitive and if released can cause significant distress and harm to those caught in the attack.

Australian privacy laws are in urgent need of reform to help prevent these attacks. Currently, the rules that apply to prescriptions and other health information are fragmented across multiple pieces of legislation. Privacy laws in other jurisdictions, such as the European Union and California, require entities handling sensitive information to implement privacy by design and default and conduct data privacy impact assessments. The obligations under these laws also extend to any entities which process data on behalf of another entity. This requirement is particularly relevant to the case of MediSecure, as the attack was conducted via a third-party provider.

Although the Federal Attorney-General has discussed introducing a revised Privacy Act to Parliament, there is an urgent need for Federal, state and territory governments to work together to introduce new comprehensive and cohesive privacy laws. Healthcare providers and other organisations which handle healthcare information also need to explore advanced privacy-enhancing technologies to stay one step ahead of cybercriminals.

The announced data breach and ransomware involving MediSecure is an unfortunate consequence of the concerted efforts by malicious actors in the modern era. The collection and aggregation of large volumes of data, especially highly sensitive personal health information, will always be an attractive target for criminal organisations. These large-scale data breaches are becoming more common and follow from the recent Medibank and Optus breaches. 

Early reporting indicates that the incident has arisen from a third-party service provider. This is an important reminder that while an organisation might take steps to protect personal information it holds, its service providers and those external third parties that can access that information need to adhere to and implement those security measures. Third parties with access can be the weak link in an otherwise strong cyber security system.

With the data subject of the ransomware attack being sensitive health information, it is good to see rapid action by MediSecure, the Australian Digital Health Agency, National Cyber Security Coordinator and enforcement agencies to cooperatively address the breach. This coordination reflects the learnings from the Australian Government in the aftermath of recent large data breaches.

 

The news of another healthcare-related organisation encountering a cyber attack and subsequent ransom demand will be troubling for many Australians. We have learnt from other major cyber attacks against Australian organisations which hold the personal identities of Australians that the after effects are major and ongoing.

 
There is nothing more serious nor sensitive than having health data exposed, let’s hope this organisation can work with the Australian government and appropriate service providers to limit any damage which may come from this matter.
 
This cyber attack is a reminder to all organisations which hold personal information to redouble their risk management activities to ensure they are only collecting, storing and using the bare minimum required.

The ongoing cyber incident at MediSecure highlights the importance of health care and the disruption that a cyber incident causes nationally with patients.

The cyber incident is an ongoing investigation and not much is known at the moment, but we will find out more as the facts unfold.

According to media reports, MediSecure has been operating since 2009. In November last year, it stopped being used for new scripts after the government’s publicly funded national prescription delivery service began However, it was kept online to preserve existing scripts issued through its service.

It looks as if the patients that will be impacted will be old, existing customers which may minimise any impact.

The government’s new approach to cyber security incident handling and the key role that Australia's National Cyber Security Coordinator, will be key in dealing with a cyber incident of national significance such as this.

What it shows is the new energy that the government has with dealing with a national cyber incident.

In the meantime, the government with MediSecure will be handling the current cyber situation to resolve it as soon as possible. More information will be forthcoming over the next few days.