MediSecure cyberattack Australia’s biggest on record

6 minute read


However, the Office of the Australian Information Commissioner has shelved its inquiry into the data breach. Find out why.


A federal investigation into the massive MediSecure data breach – the largest ransomware attack in Australia on record – has been closed.

The Office of the Australian Information Commissioner (OAIC) said in a statement it had shelved the inquiry given the fact that MediSecure had entered administration.

“At this stage, the OAIC will not pursue an investigation into the personal information handling practices of MediSecure as the possible remedies that we could obtain for the community will not be proportionate to the resources required for a comprehensive investigation,” it said in the statement.

“This should not be of comfort to any organisations that hold personal information and do not have appropriate data security policies and practices in place.

“It demonstrates that organisations need to make protecting individuals’ personal information a top priority, as a data breach may destroy an organisation’s reputation and cause enormous damage to the community.”

The OAIC said its inquiries focused on ensuring that MediSecure notified individuals impacted by this breach so they could take preventative action to protect their personal information while the OAIC worked with other agencies to ensure a whole-of-government approach to building awareness about the matter.

In July, MediSecure issued a comprehensive public statement on the data breach through its website, which included an outline of the types of personal information impacted. The federal government also updated its advice for individuals whose personal information may have been compromised.

The MediSecure breach eclipsed the 2022 Optus and Medibank cyberattacks, but the company said it did not have the financial capacity to identify the almost 13 million Australians impacted.

In its statement, the company said it had “ceased its investigation of the incident” and provided its findings to the authorities and publicly. MediSecure Limited was placed in the hands of voluntary administrators Vaughan Strawbridge and Paul Harlong of FTI Consulting in June.

Until late 2023, MediSecure was a national prescription delivery service provider enabling prescriptions to be delivered from prescribers to a pharmacy of an individual’s choice.

Data from the cyberattack has been made available for sale on the dark web. It is understood a Russian hacking forum was behind the bid to sell 6.5 terabytes of stolen MediSecure data for US$50,000.

The OAIC said the MediSecure data breach affected approximately 12.9 million Australians – the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.

This week the OAIC released new statistics showing the number of data breaches notified to the regulator in the first half of 2024 was at its highest in three-and-a-half years.

The OAIC was notified of 527 data breaches from January to June 2024, according to the latest Notifiable data breaches report. This is the highest number of notifications since July to December 2020 and an increase of 9% from the second half of 2023.

Australian Privacy Commissioner Carly Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” she said.

“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”

Similarly to previous reports, malicious and criminal attacks were the main source of breaches (67%), with 57% of those cyber security incidents.

Health and the Australian Government notified the most data breaches of all sectors (19% and 12% of all breaches respectively), highlighting both the private and public sectors are vulnerable.

Commissioner Kind said six years on from the launch of the scheme the OAIC has high expectations of organisations.

“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” said commissioner Kind.

“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”

In June, the Australian Information Commissioner filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The commissioner alleges that from March 2021 to October 2022, “Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988”, the AOIC said in a statement.

The proceedings follow an investigation initiated by Australian information commissioner Angelene Falk after Medibank was the subject of a cyberattack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web.

“The release of personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime,” acting Australian information commissioner Elizabeth Tydd said in June.

Medibank’s business as a health insurance services provider involves centrally collecting and holding customers’ personal and sensitive health information. In the financial year ending June 2022, Medibank generated a revenue of $7.1 billion and an annual profit of $560 million.

“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” said commissioner Tydd.

“We consider Medibank’s conduct resulted in a serious interference with the privacy of a very large number of individuals.”

The OAIC will continue to take a proportionate approach to enforcement and is also focused on providing guidance to help organisations comply with their obligations, reflected in changes to the latest report.

“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like.”

For these proceedings, the Federal Court can impose a civil penalty of up to $2.22 million for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022). Whether a civil penalty order is made, and the amount, are matters before the court.

The OAIC has also received related multiple individual complaints and a representative complaint in relation to the Medibank data breach, it said.

End of content

No more pages to load

Log In Register ×