About 12.9 million Australians are impacted by the breach of defunct electronic prescription provider MediSecure, with 6.5TB of personal and “limited health” data stolen.
The size of the incident means it is larger than the Optus attack, which affected up to 10 million people.
The attack, which was disclosed in May, was detected mid-April when a database server was “encrypted by suspected ransomware”, according to a more detailed analysis of the incident.
The encryption of the database server made it hard to immediately assess what had been accessed and stolen, according to the post-incident report.
It took a month, and outside assistance, to “successfully restored a complete backup of the server”, which showed the server housed “an extremely large volume of semi-structured and unstructured data stored across a variety of datasets.”
“This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the post-incident report states.
MediSecure entered voluntary administration not long after the attack was disclosed.
The net result is that MediSecure and the organisations assisting it have now confirmed that around 12.9 million Australians are caught up in the attack, “based on individuals’ healthcare identifiers”.
But, according to MediSecure, it is “unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the dataset.”
The range of data held on the server included personal details, as well as a number of government and health credential numbers and expiries.
The data is from the period March 2019 to November 2023.
Owing to its previous role in prescription medication fulfilment, details of the ‘name of drug, strength, quantity and repeats; and reason for prescription and instructions”, are also in the exposed datasets.
National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, said in a statement that “at this time, the Australian government is not aware of publication of the full dataset.”
“No one should go looking for or access stolen sensitive or personal information from the dark web,” she said.
“This activity only feeds the business model of cyber criminals and can be a criminal offence.
“I understand many Australians will be concerned about the scale of this breach.
“I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams.”
McGuinness said the incident remains under investigation by the Australian Federal Police.