Skip to content
· 6 min read CRITICAL @Sdmrf

MediSecure Breach: 13 Million Patient Records and a Ransomware Gang's Payday

Breaking down the MediSecure breach - how attackers compromised a prescription delivery service and walked away with one of Australia's largest healthcare data thefts.

#breach #healthcare #ransomware #australia
On this page

In May 2024, MediSecure, an Australian electronic prescription delivery service, disclosed that attackers had stolen data belonging to approximately 13 million individuals - roughly half of Australia’s population.

This week, the company entered voluntary administration. The breach didn’t just expose data; it killed the company.

Let’s break down what happened, what went wrong, and what the healthcare industry refuses to learn.

What Was MediSecure?

MediSecure provided electronic prescription services to pharmacies across Australia. When your doctor sent a script electronically, there was a good chance MediSecure was involved in routing it.

The data they held included:

  • Full names and dates of birth
  • Contact information
  • Medicare numbers
  • Prescription history (medications, dosages, prescribers)
  • Healthcare provider details

This is the kind of data that doesn’t expire. Your medical history is yours forever - and now it’s in criminal hands.

The Attack Timeline

Based on public disclosures and reporting:

Early April 2024: Initial compromise. Entry vector not publicly confirmed, but believed to be compromised VPN credentials.

April - May 2024: Attackers moved through the network, identified valuable data, staged exfiltration. Dwell time estimated at 4-6 weeks.

May 16, 2024: MediSecure detects “cybersecurity incident” and begins response.

May 17, 2024: Company takes systems offline.

May 24, 2024: Public disclosure of data theft.

July 2024: Confirmation of 13 million affected individuals.

January 2025: MediSecure enters voluntary administration.

What Went Wrong

Disclaimer: MediSecure hasn’t released a detailed technical post-mortem. What follows is based on public reporting and industry patterns.

1. Likely Initial Access: VPN/RDP

Healthcare organizations continue to expose remote access services directly to the internet. Based on reporting, the initial compromise involved stolen credentials, probably to a VPN or remote desktop service.

Without MFA. In 2024. For a company handling healthcare data.

2. Flat Network Architecture

Once inside, attackers apparently had extensive access to production systems and databases. This suggests:

  • Minimal network segmentation
  • Service accounts with excessive privileges
  • Databases accessible from the general corporate network

3. Detection Gaps

A 4-6 week dwell time means either:

  • No meaningful detection capabilities, or
  • Alerts that were ignored or misclassified

For a company handling the prescription data of half a country, this is indefensible.

4. Backup/Recovery Limitations

The extended outage and ultimate business failure suggest recovery capabilities were inadequate. Whether backups were encrypted, untested, or simply insufficient - the result was the same.

The Ransomware Angle

The attack has been linked to the RansomHub operation (though attribution is complicated in the RaaS ecosystem). RansomHub is a relatively new player that emerged in early 2024, absorbing affiliates from other operations.

Their playbook is familiar:

  1. Gain initial access (buy credentials, exploit vulns)
  2. Move laterally, escalate privileges
  3. Exfiltrate valuable data
  4. Deploy ransomware
  5. Double extortion: pay for decryption AND data deletion

Whether MediSecure paid is unknown. Based on the outcome, whatever they did wasn’t enough.

Healthcare’s Security Problem

This breach follows a depressingly familiar pattern. Healthcare organizations continue to be disproportionately targeted because:

The data is valuable: Medical records sell for 10-50x more than financial records on dark web markets. They enable insurance fraud, identity theft, and targeted extortion.

The pressure to pay is high: Hospitals can’t afford extended downtime. Patient safety becomes leverage.

Security investment is low: Healthcare IT budgets prioritize functionality over security. Legacy systems abound.

Compliance ≠ Security: Being HIPAA (or Australian equivalent) compliant doesn’t mean you’re secure. It means you checked boxes.

Recent healthcare breaches:

  • Change Healthcare (2024): 100M+ affected
  • Ascension (2024): Major hospital system, weeks of downtime
  • NHS England (2024): Disrupted services across multiple trusts
  • MediSecure (2024): 13M records, company destroyed

Lessons That Keep Being Ignored

I’ve written variations of these recommendations after every healthcare breach:

1. MFA on Everything External-Facing

VPN? MFA. Remote desktop? MFA. Admin panels? MFA.

Not “MFA where convenient.” MFA everywhere an attacker could gain initial access.

2. Network Segmentation

Your prescription database shouldn’t be on the same network segment as the marketing department’s laptops. Critical systems need isolation.

3. Detect Lateral Movement

Monitor for:

  • Unusual authentication patterns
  • Service account anomalies
  • Large data transfers
  • Administrative tool usage (PsExec, WMI, PowerShell remoting)

4. Test Your Backups

Backups that haven’t been tested don’t exist. Conduct regular recovery drills. Time your restoration. Know whether you can actually recover.

5. Assume Breach

The question isn’t if you’ll be compromised. It’s whether you’ll detect it in time and limit the damage.

What Happens to the Data?

13 million medical records are now in criminal possession. They’ll likely be:

  • Sold in bulk on dark web markets
  • Used for insurance fraud
  • Used for targeted phishing (“We see you take [medication]…”)
  • Held for future exploitation as data ages

There’s no “undo” here. Those patients’ medical histories are compromised forever.

Regulatory Aftermath

The Australian government has announced reviews and potential regulatory changes. We’ll see if anything meaningful comes from it.

The Office of the Australian Information Commissioner will likely investigate, fines may be levied, but MediSecure is already in administration. The company paying a fine doesn’t help the 13 million people whose data was stolen.

Final Thoughts

MediSecure isn’t unique. They’re just the latest example of a healthcare organization that failed to adequately protect sensitive data and paid the ultimate corporate price.

The frustrating part: the attack vectors and failures are the same ones we’ve been talking about for a decade. VPN credentials. Flat networks. Inadequate monitoring. Insufficient backups.

Until healthcare organizations treat security as a patient safety issue - not just an IT problem - these breaches will continue.

Resources for Affected Individuals

If you’re one of the 13 million:

  • IDCARE - Australia’s national identity and cyber support service
  • Scamwatch - Report suspicious contact
  • Consider a credit freeze with Australian credit bureaus
  • Be skeptical of any unsolicited contact referencing your health information

Another healthcare breach, another 13 million reasons to encrypt, segment, and monitor. The industry’s next lesson is already being prepared by the next attacker.

Related Articles

high·5 min read

The Snowflake Situation: When Your Customer's Credentials Become Your Problem

Unpacking the wave of Snowflake customer breaches - it wasn't a Snowflake vulnerability, but the impact was massive. What shared responsibility really means.

critical·5 min read

Operation MidnightEclipse: When Your Firewall Becomes the Attacker's Foothold

Tracking a campaign that compromised hundreds of Palo Alto devices through CVE-2024-3400. This one got ugly fast.