MediSecure data breach a reminder to review risk management

Australian electronic prescription company MediSecure has announced that it has identified a cybersecurity incident impacting the personal and health information of individuals.

“We have taken immediate steps to mitigate any potential impact on our systems. While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors,” the company said in a statement on its website.

MediSecure said it is assisting the Australian Digital Health Agency and the National Cyber Security Coordinator to manage the impacts of the incident, and has also notified the Office of the Australian Information Commissioner and other key regulators.

The National Cyber Security Coordinator (NCSC) Michelle McGuinness said in a LinkedIn statement that the NCSC is working with agencies across the federal government, states and territories to coordinate a whole-of-government response to this incident.

“The Australian Signals Directorate Australian Cyber Security Centre is aware of the incident and the Australian Federal Police is investigating,” the statement said.

“We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.”

Toby Murray, an Associate Professor in the School of Computing and Information Systems at The University of Melbourne, said, “It is important to recognise that investigating the impact and causes of these kinds of data breaches can be time-consuming. However, previous data breaches have made clear the importance of providing timely updates to affected individuals.

“Health organisations have increasingly been targeted by ransomware criminals. The Medibank hack was of course the most high-profile such case in Australia previously and set a very strong precedent against paying ransoms, even when highly sensitive information was being published to try to force Medibank to pay. More recently we saw the largest health administrative network in the United States, Change Healthcare, was targeted by ransomware actors. Change Healthcare reported in April that they had paid a $22m ransom.

“The key difference was that the Change Healthcare ransomware attack made their services unavailable for thousands of customers. In contrast, the Medibank hack did not affect service availability. This is a crucial distinction. At the moment it is not clear whether this most recent hack against MediSecure affects service availability or not,” Murray said.

A risk management reminder

This cyber attack is a reminder to all organisations which hold personal information to redouble their risk management activities to ensure they are only collecting, storing and using the bare minimum required, said Professor Nigel Phair, Department of Software Systems & Cybersecurity, Faculty of Information Technology, Monash University.

“There is nothing more serious nor sensitive than having health data exposed; let’s hope this organisation can work with the Australian Government and appropriate service providers to limit any damage which may come from this matter,” Phair said.

Joel Lisk, a Research Associate in the Jeff Bleich Centre for Democracy and Disruptive Technologies at Flinders University, said, “Early reporting indicates that the incident has arisen from a third-party service provider. This is an important reminder that while an organisation might take steps to protect personal information it holds, its service providers and those external third parties that can access that information need to adhere to and implement those security measures. Third parties with access can be the weak link in an otherwise strong cybersecurity system.”

While it is unclear if data has been exfiltrated (stolen) from MediSecure, users of their service should be cautious of any communications purporting to be from the organisation, warned Associate Professor Paul Haskell-Dowland, Associate Dean of Computing and Security at Edith Cowan University.

“We are also likely to see scams that use the story as a ‘hook’ to target victims (not necessarily just the cybercriminals involved in the ransomware incident). Never click on links in unsolicited emails or SMS messages and independently validate the legitimacy of calls (phone back on a published number).

“We are also likely to see scams that use the story as a ‘hook’ to target victims (not necessarily just the cybercriminals involved in the ransomware incident). Never click on links in unsolicited emails or SMS messages and independently validate the legitimacy of calls (phone back on a published number),” Haskell-Dowland said.

Privacy laws — urgent reform needed

“As with the Medibank data breach in 2022, the MediSecure attack demonstrates that organisations which handle large quantities of sensitive information are prime targets for cybercriminals. Prescription information is highly sensitive and if released can cause significant distress and harm to those caught in the attack,” said Dr James Scheibner, a Lecturer in Law at Flinders University.

“Australian privacy laws are in urgent need of reform to help prevent these attacks. Currently, the rules that apply to prescriptions and other health information are fragmented across multiple pieces of legislation. Privacy laws in other jurisdictions, such as the European Union and California, require entities handling sensitive information to implement privacy by design and default and conduct data privacy impact assessments. The obligations under these laws also extend to any entities which process data on behalf of another entity. This requirement is particularly relevant to the case of MediSecure, as the attack was conducted via a third-party provider.

“Although the Federal Attorney-General has discussed introducing a revised Privacy Act to Parliament, there is an urgent need for federal, state and territory governments to work together to introduce new comprehensive and cohesive privacy laws. Healthcare providers and other organisations which handle healthcare information also need to explore advanced privacy-enhancing technologies to stay one step ahead of cybercriminals.”

Image credit: iStock.com/dikushin