The Weekly Cybers #27
MediSecure hack affects 12.9 million Australians but now the money has run out, and a range of smaller stories fill out a relatively quiet week.
Welcome
Half of all Australians had their data breached in the MediSecure hack, but there’s no money left to figure out who and, I guess, how.
There’s also a smattering of smaller stories in what seems to have been a relatively quiet week for Australian digital news.
Confirmed: 12.9M caught in MediSecure breach
The data exfiltrated from now-insolvent prescription processor MediSecure has been confirmed to involve 12.9 million Australians, even more than the 9.8 million customers affected by the massive Optus data breach in 2022.
The company's administrators FTI Consulting released a statement on Thursday saying it had “ceased its investigation of the Incident”.
The 6.5 terabytes of data related to customers whose prescriptions were processed between March 2019 to November 2023, approximately, and included:
- full name;
- title;
- date of birth;
- gender;
- email address;
- address;
- phone number;
- individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- prescription medication, including name of drug, strength, quantity and repeats; and
- reason for prescription and instructions.
However MediSecure will not be able to notify individuals because the money has run out.
The impacted server analysed by [cyber forensics consultancy] McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets. This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet.
MediSecure is not currently a part of the digital health network, having lost the tender to eRx in May 2023 and ceasing to process new prescriptions in November.
The winning script exchange solution was created by Fred IT Group, which is owned by Telstra Health and the Pharmacy Guild of Australia. Telstra Health also owns Medical Director, one of the market leaders in GP practice management software.
The contract is worth $99.2 million and eRx is now the sole provider of prescription exchange services for PBS-listed drugs.
The two companies had been cooperating as prescriptions generally remain valid for 12 months after being issued.
The National Cyber Security Coordinator has provided advice for those potentially affected, which I suppose is roughly half of you.
Russian spies? A postscript about an audit
One of the bigger stories last week, which I didn’t mention here because it was only tangentially relevant at the time, was the arrest of two Russian-born Australian citizens who were charged with spying offences.
I’ve linked to the ABC News explainer there, and you can also read a statement from ASIO boss Mike Burgess and watch the whole press conference.
Turns out that just the day before, it was reported that the Department of Defence had bungled the implementation of a $138.6 million centralised whole-of-government vetting system, according to an audit by the Australian National Audit Office (ANAO).
While the report uses ANAO's usual diplomatic language of “only partially effective” and “lack of clarity”, one statement stood out for me:
Defence does not have a program in place to monitor and review privileged user activity and does not have a process to periodically revalidate user accounts for the myClearance system.
Which means that the users of the system — the ones doing the vetting, not the ones who were subject to vetting — could still have access when their time has passed. Oops.
Of course this is not to say these deficiencies aided the alleged spies in any way, but it’s an amusing coincidence.
Also in the news
- InnovationAus ($) reports that a independent review of the National Disability Insurance Agency (NDIA) found that the board approved a massive CRM deal with Salesforce without a business case just weeks after the company met with former minister Stuart Robert. One suspects there’s a lot more to be uncovered here, given Robert’s many brushes with scandal.
- The federal police reckons there needs to be a portal for victims to report AI deepfakes and that at the moment they’re forced to “cobble together” laws. So I guess it’s a good thing that new laws are literally in the process of being made?
- “The Australian Taxation Office (ATO) will no longer send an SMS message to taxpayers to inform them their tax return has been processed, as the rising tide of fraudulent messages makes it difficult to discern real communications from costly scams,” reports The Mandarin.
- The government reckons there’s now only 102,000 4G devices that will be affected by the 3G network shutdown on 1 September.
Data breaches and hacks of note
Apart from the MediSecure drama, that is.
- Sydney radiology clinic Quantum Radiology says it’s recovered the “majority” of data encrypted in a ransomware attack last year.
Elsewhere
- Parents in the ACT can now register their kids’ births via myGov, which I’m sure will be exciting for them. Services minister Bill Shorten says this trial is expected to roll out to other state and territory registries next year.
- Can doomscrolling trigger an existential crisis? That’s a solid maybe. Check out the full paper, Doomscrolling evokes existential anxiety and fosters pessimism about human nature? Evidence from Iran and the United States.
- ABC News has a nice explainer on mobile data blackspots in places you’d expect to have great coverage.
Inquiries of note
Nothing new here, as one might expect in winter.
What’s next?
Parliament is currently on its long winter break until Monday 12 August.
On Tuesday 23 July there's a public hearing in Canberra as part of the inquiry into the Criminal Code Amendment (Deepfake Sexual Material) Bill 2024.
The inquiry into the shutdown of the 3G mobile network is holding public hearings in Cooma on Tuesday 23 and Canberra on Wednesday 24.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.