David AdamMar 23, 2025

I missed this in regard to #medisecure

"The OAIC will not pursue an investigation into the personal information handling practices of MediSecure as the possible remedies that we could obtain for the community will not be proportionate to the resources required for a comprehensive investigation. This should not be of comfort to any organisations that hold personal information and do not have appropriate data security policies and practices in place."

https://www.oaic.gov.au/news/media-centre/statement-on-medisecure-data-breach-september-2024

So the OAIC has done nothing, there have been no changes to the design of electronic prescribing systems to prevent this happening again, and no news that I know of from the AFP on their investigation.

@daedalus

Statement on MediSecure data breach

The OAIC has closed our inquiries into the MediSecure data breach.

OAIC
Show threadDavid AdamNov 3, 2024

There's plenty of work still to go on EP. The #medisecure breach could still happen again as there's no real change been made to the underlying infrastructure. The options for people who don't have a smartphone still aren't great. Sending a prescription direct to a pharmacy (which is requested a lot by patients and required in some cases) sucks, especially for the pharmacist.

I sat in a meeting room in early 2019 as we went round in circles and thought "this is never going to happen". It's nice to have been wrong.

J👀Jul 23, 2024

#MediSecure, an electronic medical prescription provider, was hacked earlier this year. The result is 12.9 million profiles of #Australian users currently for sale in the dark web.

As usual, given the anaemic data protection and privacy laws in #Australia, MediSecure has not even bothered so far to notify any of the people affected. They know they will not be held accountable and there will be no consequences to their irresponsibility.

Kevin Thomas ✅Jul 20, 2024

In the ever-evolving landscape of cybersecurity, another chilling chapter has been written. Hidden amidst the #CrowdStrike news cycle, a devastating revelation emerged: #MediSecure has fallen victim to a colossal #ransomware attack, compromising the personal #data of 12.9 million individuals. This #breach exposes our digital infrastructure’s vulnerabilities.

Names, addresses, medical histories, and more—intimate details of millions—now rest in the hands of cybercriminals. The sheer scale of this attack highlights the urgent need for a seismic shift in our approach to cybersecurity.

A critical component is recognizing the importance of machine-to-machine (M2M) identity access management. In our interconnected world, ensuring each machine has a secure identity is paramount. This added security layer can prevent unauthorized access and mitigate breach risks.

Investment in cutting-edge technology and unwavering commitment to security must become our new standard.

securityaffairsJul 19, 2024
#MediSecure data breach impacted 12.9 million individuals
https://securityaffairs.com/165932/security/medisecure-databreach-12-9m-individuals.html
#securityaffairs #hacking
MediSecure data breach impacted 12.9 million individuals

Personal and health info of 12.9M individuals was exposed in a ransomware attack on Australian firm MediSecure

Security Affairs
Infocalypse NowJul 18, 2024

On the upside, I'm expecting spam for massively cheaper prescriptions from Russia and/or China now

#MediSecure

Show threadJPJul 18, 2024

The #MediSecure breach is particularly troubling because it makes plain that the government either cannot, or does not want to, help us in this sort of situation.

Which raises questions about what the point of them is.

JPJul 18, 2024

As several other fellow tech nerds have commented: given that dataset and the likely database structures, we could figure out who most of the people are, because we have done similar stuff before and it's fiddly but not super hard.

Indeed! Ponder, then, on the purpose of making it seem very difficult and mysterious and why the people doing that might want to give that impression.

#MediSecure

Show threadJPJul 18, 2024
One might also wonder wtf is the point of having the AFP, ASD, National Cyber Security Coordinator, and National Office of Cyber Security involved since their combined efforts have apparently managed to: restore the database server from backups. #MediSecure
Show threadJPJul 18, 2024

Also, looking at that list of data types, it does rather contradict MediSecure's public statements about how it "only collects non-personal information about your prescription", eh?

https://web.archive.org/web/20231028131540/https://www.medisecure.com.au/privacy-policy/

Looks like they lied about what they were doing pretty comprehensively.

#MediSecure

Privacy Policy - MediSecure

PRIVACY POLICYMediSecure® is totally committed to protecting your privacy in the electronic prescription process it conducts of collecting, storing and transmitting your personal prescription data.MediSecure® is highly aware that prescription information is sensitive and intensely personal to you, the patient, and you would only wish your doctor and pharmacist to be aware of the fact

MediSecure