In one of Australia's largest data breaches, about 12.9 million people have had personal and health details stolen from electronic prescriptions service MediSecure.
Until late 2023, MediSecure operated a national prescription delivery service between medical practitioners and pharmacies. Even if you don't recognise the company's name, it is likely you may have used this service for both paper and electronic prescriptions.
The service has since been replaced by another company, eRx Script Exchange, which has not been affected by the data breach. The National Cyber Security Coordinator says that consumers can continue accessing prescriptions safely.
Even if you don't recognise the company's name, it is likely you may have used this service for both paper and electronic prescriptions
MediSecure first became aware of the incident on 13 April, when data was stolen from a server by a "malicious third-party actor". The company attributed the breach to "suspected ransomware" that encrypted their server. Ransomware works by taking over a computer system and holding it 'hostage' for payment.
Who is affected?
Australians who used MediSecure between March 2019 and November 2023 are affected by this breach.
You won't be notified if you have been affected because MediSecure says it is "unable to identify the specific impacted individuals" due to "the complexity of the data".
What data has been breached?
A range of personal data was stolen including names, dates of birth, gender, email addresses, home addresses, and phone numbers.
Sensitive details about affected people's prescriptions were also stolen. These details include prescribed drugs, their strength, quantity, and repeats, and the reason for prescriptions, as well as medical directions.
Card information was also stolen for Medicare, Pensioner Concession, Commonwealth Seniors, Healthcare Concession, and Department of Veterans' Affairs cards. This includes expiry dates, card numbers, and individual identifiers.
Services Australia and the Department of Veterans' Affairs have advised that card numbers alone cannot be used as proof of identity or to access your accounts.
When information is leaked onto the dark web, scammers can piece together information from several data sources
However, breaches like this can still increase the risk of scams and identity theft, says Kate Bower, CHOICE's consumer data advocate. When information is leaked onto the dark web, scammers can piece together information from several data sources. This allows them to build a profile of a person and make them more vulnerable to scams.
More broadly she says that data breaches can erode trust in the digital world.
"Better privacy protections and less cybersecurity incidents will help to increase trust in digital systems, so that people can go about their everyday tasks like banking and grocery shopping without worrying about security," Bower says.
What can you do?
The National Cyber Security Coordinator recommends that people be on the lookout for scams using information from this data breach. Some scams may reference the MediSecure data breach, telling people they have been caught up in the hack and need to take certain steps or click on certain links.
Others can involve unsolicited messages or calls from someone posing as a medical or financial provider seeking payment. You can stay safe by hanging up on these calls and, if necessary, contacting the company the caller claimed to be representing on a phone number you have sourced yourself.
Some scams may reference the MediSecure data breach, telling people they have been caught up in the hack and need to take certain steps
If you encounter a scam, you can report it to the National Anti-Scam Centre using the Scamwatch website.
You should also be aware of phishing emails and texts. These scams attempt to solicit information by pretending to be from a person or organisation you trust. They often involve trying to get you to click on a link.
Australians can get support from the Office of the Australian Information Commissioner and use IDMatch to get guidance on how to keep their identity information safe and protect themselves from identity crime.
Services Australia advises that Pensioner Concession, Healthcare Concession, and Commonwealth Seniors cards do not need to be replaced.
If you are concerned about your Medicare card, you can replace it through myGov. Services Australia also recommends that consumers use "more secure methods" for their myGov account including passkeys, digital IDs, strong passwords, and multi-factor authentication.
Why we need better privacy protections
Bower says this latest data breach is just another example of why stronger privacy protections are needed.
"The Privacy Act has been around since the late 1980s; it's clearly not fit for purpose for our modern digital age and this is just yet another example, and a quite potentially harmful one, of why the need for privacy reform is urgent," she says.
Bower adds that people are losing trust in businesses' ability to safeguard their data. CHOICE's latest Consumer Pulse survey found that only one in eight Australians trust that companies are using the data they collect responsibly.*
*CHOICE Consumer Pulse March 2024 is based on an online survey designed and analysed by CHOICE. 1,037 Australian households responded to the survey with quotas applied to ensure coverage across all age groups, genders and locations in each state and territory across metropolitan and regional areas. The data was weighted to ensure it is representative of the Australian population based on the 2021 ABS Census data. Fieldwork was conducted from the 19 of March until the 9 of April, 2024.
Stock images: Getty, unless otherwise stated.