Doctors and pharmacists named in a sample of stolen MediSecure data up for sale on the dark web say they are yet to be contacted by the company despite their information being available online for over a week.
A sample of data from the electronic prescription provider seen by the ABC contains clinician log-in credentials, as well as prescriber numbers and medical practice details.
The sample does not include patient names but has encoded script numbers, pharmacist approval numbers and medication instructions linked to the prescribing doctor and dispensing pharmacist.
Included in the sample of data posted online is a screenshot showing the full names and prescriber numbers of 11 Australian doctors.
Of the four doctors the ABC was able to speak to, all said they had had no contact from MediSecure or authorities about the hack.
Sharon Gupta, a western Sydney GP whose name appeared in the sample, said it was concerning that the first she heard about it was from the ABC.
“This is very, very problematic, especially depending on what kind of information is leaked,” she said.
“To have it leaked on something like the dark web is very serious.”
Yousef Sa-Adi, a doctor from south-western Brisbane, said he was “very concerned” when the ABC told him his details were on the dark web.
“Failure to protect medical data brings the safety of electronic records under question,” he said.
MediSecure data on sale for the ‘best price’
Three weeks ago it emerged publicly that MediSecure, formerly one of the two main providers of medical prescription services in Australia, had been hacked.
One week later, a user posted in a Russian cybercrime forum on the dark web, claiming they had the MediSecure data and were selling it for $50,000.
The dark web is a hidden part of the internet that is not accessible with standard search engines or internet browsers, making it an attractive place for hackers to peddle their wares.
Included in the user’s post were several screenshots, seen by the ABC, which appear to contain legitimate prescription information.
Earlier this week the user posted an announcement which said they had received “many proposals” and asked people to send through their best offers.
“As a person motivated by money … I am setting a new rule,” they said, in a screenshot provided to the ABC.
“After four days, the base will be sold to the one who offers the best price.”
Health data valuable to cybercriminals
Doctors told the ABC that they felt they should have been informed sooner that their names and personal information had appeared in this leak.
Dr Gupta said without a full picture of what other information was up for sale, it was hard to tell what it could be used for.
“I would need to know exactly how much information has been leaked,” she said.
“I think there should have been more direct contact with the doctors — this is quite unsettling to find out this way.”
Dr Sa-Adi agreed, saying he wanted more information.
“All I know is that my prescriber number and my name was stolen, this data already comes on any script that a GP issues and I don’t see any risk if that is the only stolen data,” he said.
“However, I cannot be sure until I’m reassured by related authorities.”
A Department of Home Affairs spokesperson told the ABC: “MediSecure has a legal obligation to notify individuals at risk of serious harm as a result of the data breach that affected the company.
Data could be used to better target scams
The doctors’ details, including Medicare Provider numbers and prescriber numbers, would not be enough information to gain access to Medicare records, the department said.
“These claiming systems include security measures to prevent unauthorised access,” the spokesperson said.
Regardless, cybersecurity expert Evan Vougdis from NSB Cyber said medical data was valuable to cybercriminals and could be used to make scams more targeted — or even to try and access medication.
“If you know somebody’s name, their date of birth, their address, and … what medication they’re on, there are numerous avenues where things can happen,” he said.
‘Cyber incident’ still under investigation
Earlier this week MediSecure went into administration after its request for a bailout from the federal government was denied.
MediSecure has still not said how many Australians have been affected but confirmed the data taken was from its systems up until November last year.
Both the federal government and the Australian Medical Association (AMA), the peak professional body for doctors, said they believed the hack did not affect current prescriptions.
“We have advised our members that they should continue to prescribe as per usual,” AMA president Steve Robson said.
“Patients should continue to have their prescriptions dispensed, and Medicare provider numbers or PBS prescriber numbers do not need to be changed.”
Loading…
The ABC sent a list of questions to MediSecure’s administrator FTI Consulting but it declined to comment, citing an ongoing federal government investigation.
A spokesperson referred the ABC to an earlier statement which said: “We will be speaking to the Australian government about what they need from the company and the next steps in the response to the cyber incident.”
The government’s digital health agency said in January over 189 million electronic prescriptions had been issued since May 2020, by more than 80,000 prescribers — GPs and nurse practitioners.
Loading…
Posted , updated