more_vert
The MediSecure data breach highlights the health care sector’s susceptibility to such attacks, and it is imperative that the government and health care providers work together to better protect sensitive health data.
MediSecure, an Australian prescription delivery service provider, experienced a ransomware attack in April 2024 (timeline shown in Table 1). This resulted in a breach impacting approximately 12.9 million Australians, releasing sensitive personal and health information to the dark web for sale. It has been reported that the stolen data included names, dates of birth, addresses, health care identifiers, Medicare card numbers and prescription details.
The health care sector’s susceptibility to such attacks is partly due to the high value of health data for cyber criminals, making it a prime target. This incident adds to the growing trend in Australia where health care data breaches have become increasingly common. Between 2019 and 2020, Australia’s health care sector saw an 84% rise in reported cyber security incidents. These large scale cyber security incidents have highlighted the importance of securing confidentiality of health care records as data breaches have potential to cause real harm.
Reports suggest that 64% of Australians lack confidence in the ability of large organisations to keep their personal data safe. Although Australians are concerned about their privacy, many may not be aware of the impact that identity theft or scams can have on them personally. A recent study of individuals’ awareness, perception and responses to data breaches indicated that 73% of participants were affected by at least one breach, and 74% of participants were unaware of breaches affecting them. Although some reported intention to act, most participants believed the breach would not impact them. Moreover, studies have indicated that many are unaware of potential long term consequences, including identity theft and misuse of personal health information. The impacts of these crimes can be severe, highlighting the importance of robust information security governance in health care.
| 2009 MediSecure started prescription service delivery for Australians.
1 July 2023 Australian Government Department of Health and Aged Care contracted another provider (not MediSecure) be the National Prescription Delivery Service (NPDS). November 2023 MediSecure prescription service delivery registration ceased, IT environment maintained. 13th April 2024 MediSecure database found to be encrypted – ransomware suspected. During investigations, 6.5TB of data was likely exfiltrated by a malicious third party actor, but the data was not able to be confirmed as it was encrypted – notification occurred. 16th May 2024 Public notification of cyber incident. 17th May 2024 full backup restored but very complex to understand impacted data and thus very costly to understand, a cost for which MediSecure was unable to meet. 31st May 2024 MediSecure confirmed that a data set containing the personal information and limited health information of our customers has been made available on a dark web forum. 3rd-4th June 2024 MediSecure has appointed Administrators and Liquidators and has ceased investigations into the cyber crime. AFP and ASD investigation continues. |
Reform urgently needed
The Office of the Australian Information Commissioner (OAIC) has consistently highlighted the need for comprehensive reforms to the Privacy Act to address the evolving threat landscape and better protect Australians’ personal information.
Reports from the OAIC, such as the Notifiable Data Breaches (NDB) scheme reports, indicate that the health care sector remains one of the most affected by data breaches. These breaches often result from inadequate data handling processes, human error and malicious attacks, pointing to the need for more robust legal frameworks and organisational practices.
The proposed updates to the Privacy Act, supported by the OAIC and the Attorney-General’s Department, aim to ensure that privacy laws keep pace with technological advancements and provide a stronger framework for handling personal data in response to the increasing frequency and severity of data breaches.
There remains a significant evidence gap regarding implementable comprehensive strategies to integrate various aspects of privacy and information security into cohesive organisation-wide governance, specific to the nuances of health care environments. The strategies mentioned in Table 1 align with the Australian Signals Directorate Essential 8, a framework designed to help organisations mitigate cybersecurity risks. However, to truly safeguard sensitive health data, these strategies must be implemented as part of a comprehensive information security governance framework within health care organisations. Most existing evidence focuses either on the technical aspects of cybersecurity or on organisational and behavioural factors in isolation, and organisations, like individuals, may be unaware of the significance of the risks to which they are exposed.
Table 2 illustrates actions for individuals to protect their information alongside the Australian Signals Directorate Essential 8 that is used to enable organisations to mitigate against cyber security risks.
| Individual protections | Organisational protections |
| Be aware as to when you share information and with whom. Do you really need to provide your full name, date of birth, home address or will less identifying information be sufficient (eg, just first name, age, postal address)? | Develop Information Security Policy |
| Know what information you have: your accounts, assets, etc. Check assets regularly to ensure there isn’t any unusual activity or access. | Record organisational information assets |
| Don’t download or click on links or files you aren’t sure are safe. | Application control |
| Secure your email addresses. | Restrict administrative privileges |
| Secure your devices using anti-virus and malware prevention software. | User application hardening |
| Set up multifactor authentication, use secure passwords or passphrases. | Multifactor authentication |
| Update your devices and software regularly. | Patching of applications Patching of operating systems |
| Backup your important files regularly. | Backups |
| If you experience an issue, report and get help. | Reporting |
Our research
We are undertaking a program of research to help bridge this divide by understanding the interdependencies between technical systems, human factors and organisational governance controls for information security. This requires a holistic understanding of information security governance, especially in view of continuing digital transformations, including use of artificial intelligence, and the sensitive nature of health data.
In our research programs, we seek to explore a holistic approach to information security governance, emphasising the integration of both technical and non-technical controls to protect against cyber threats. We are conducting mixed-method studies involving diverse health care stakeholders across Australia. We anticipate this approach will yield new insights into the perceptions of health care professionals regarding current information security practices and barriers to adopting more robust governance mechanisms. This will likely inform more appropriate information security mechanisms, that can be more effectively used for the protection of sensitive and important health care data stored in health care organisations.
Moving forward, it is imperative for the government and health care providers to implement appropriate and effective information security measures, reform outdated legislation and foster a culture of holistic proactive risk management. By doing so, we can work together to better protect sensitive health data and maintain public trust in digital health care systems and associated innovations.
Ms Lisa Pomrey currently manages the information security team for Queensland Health’s fastest growing public health and hospital service. She has thirty years of experience across healthcare, clinical science, ICT, business and cybersecurity. She is also a PhD candidate at QUT focusing on innovation in information security governance in healthcare
Dr Shane Black is a technology consultant and academic with over 30 years of experience in IT, specialising in digital transformation and process improvement. He works across various industries, offering strategic leadership to optimise technological processes and drive innovation.
Amina Tariq is an Associate Professor in Digital Health within the School of Public Health and Social Work at QUT. Her research strengthens the global digital health agenda, enabling health stakeholders to adopt an evidence-based approach to mitigate patient safety risks associated with technology while maximising efficiency benefits.
Professor Steven McPhail is a health systems innovator, health services researcher, health economist and clinician. He is Director of the Australian Centre for Health Services Innovation (AusHSI) and Director of the Centre for Healthcare Transformation at the Queensland University of Technology, where he is the Professor of Health Services Research. His work has been impactful locally and internationally, including having been cited in policy-related documents from the World Bank, EU, OECD and World Health Organisation.
The statements or opinions expressed in this article reflect the views of the authors and do not necessarily represent the official policy of the AMA, the MJA or InSight+ unless so stated.
Subscribe to the free InSight+ weekly newsletter here. It is available to all readers, not just registered medical practitioners.
If you would like to submit an article for consideration, send a Word version to mjainsight-editor@ampco.com.au.