In May 2024, MediSecure — a company that provided electronic prescription delivery services for Australian pharmacies and healthcare providers — suffered a ransomware attack. The breach exposed the personal and health information of approximately 12.9 million Australians, making it one of the largest data breaches in Australian history.
The data exposed included names, dates of birth, addresses, Medicare numbers, individual healthcare identifiers, concession card numbers, and prescription details. Shortly after, the stolen data was listed for sale on a dark web forum.
MediSecure was not a large hospital with hundreds of millions in annual revenue. It was a smaller healthcare technology organisation that, like many practices, held far more sensitive data than most people realised.
The attack was a ransomware incident — attackers encrypted MediSecure's systems and then exfiltrated data before demanding a ransom. MediSecure entered voluntary administration shortly after the breach became public, meaning it was unable to respond effectively to the incident or support affected individuals.
The specific entry point that allowed the attackers in has not been publicly disclosed. However, the patterns common to this type of attack typically involve compromised credentials, unpatched vulnerabilities, or phishing — the same vectors that threaten every healthcare organisation.
MediSecure wasn't a global corporation. It was a mid-sized technology provider in the Australian healthcare sector. Attackers don't filter targets by size — they look for organisations with valuable data and accessible vulnerabilities. A dental practice with 5,000 patient records and inadequate security controls is a target.
The combination of information held by healthcare organisations — Medicare numbers, health conditions, prescriptions, personal identifiers — is worth significantly more to criminals than financial data alone. It can be used for identity theft, insurance fraud, and extortion. Once it's sold or published, you can't take it back.
Early ransomware attacks only encrypted files and demanded payment for the decryption key. Modern ransomware groups add a second layer: they exfiltrate data before encrypting, then threaten to publish it if the ransom isn't paid. This means even if you have good backups and can recover without paying, your patient data may still be leaked. The two threats must be addressed together.
Notifiable Data Breaches: Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, Australian health service providers are required to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. A ransomware attack that exposes patient records almost certainly meets this threshold. Non-compliance can result in significant penalties.
If your only plan is to restore from a backup, you're only protected against the encryption half of a ransomware attack. The exfiltration of data — and the threat to publish it — isn't addressed by a backup. You need controls that detect and block exfiltration before it happens: endpoint protection, network monitoring, and data loss prevention policies.
Many practices rely on third-party technology vendors — practice management software, billing platforms, prescription services, cloud storage providers. Each vendor that holds your patient data is an extension of your attack surface. It's worth asking your key vendors about their security practices, incident response plans, and data breach history.
MediSecure's ability to respond to the incident was severely constrained by the scale of the breach and its financial position. Even for a smaller practice, having a written incident response plan — who to call, what to do in the first hour, how to notify patients and regulators — reduces chaos and limits damage when something goes wrong.
You don't need to implement everything at once. The most impactful immediate actions are:
These four steps don't eliminate risk entirely — nothing does. But they close the gaps that attackers exploit most often, and they give you options if something does go wrong.
We assess your security posture — backups, MFA, endpoint protection, and more — as part of a free security audit for Australian dental and medical practices.
Book your free audit