Half of Australia’s population has been caught up in the cyberattack on MediSecure, but the company can’t afford to find out exactly who had their data stolen and notify them.
The eprescription provider’s administrators released an update on the incident this evening, in which it said 12.9 million Australians’ details were compromised in the April hack.
That makes it bigger than the Optus and Medibank data breaches in 2022.
READ MORE: Senior police officer engaged in ‘serious misconduct’ with alleged drunk crash: watchdog
However, the administrators said MediSecure didn’t have the financial means to identify exactly which of its customers were impacted, making it impossible for them to be notified that their data had been stolen.
“MediSecure can confirm that approximately 12.9 million Australians are impacted by this incident based on individuals’ healthcare identifiers,” administrators FTI Consulting said in a statement.
“However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.”
The impacted server analysed by an external adviser consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets.
READ MORE: Everything you need to know about this year’s Olympic Games
“This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet.”
The company also doesn’t know what data had been compromised, only that 6.5 terabytes was stolen – the equivalent of billions of pages of text.
“The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor, however the encrypted server could not be examined to ascertain the information specifically accessed,” the administrators said.
The hack happened in April, but MediSecure didn’t notify the public of the incident until May.
It then went into administration in June, while its subsidiary Operations MDS, which administrators found was the “main trading entity of the corporate group”, went into liquidation.
It had provided a system to allow healthcare professionals like GPs to send prescriptions to patients electronically, but hadn’t been used since November 15 for new electronic prescriptions after the federal Health Department made eRx the sole e-script provider.
links to content on ABC
9News