Federal police are investigating a large-scale data breach at a health organisation.
National Cyber Security Coordinator Lieutenant-General Michelle McGuinness on Thursday said a “commercial health information organisation” was the victim of the ransomware attack.
“I am working with agencies across the Australian government, states and territories to coordinate a whole-of-government response to this incident,” she said in a statement.
“The Australian Signals Directorate, Australian Cyber Security Centre is aware of the incident and the Australian Federal Police is investigating.
“We are in the very preliminary stages of our response and there is limited detail to share at this stage but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.”
The statement did not identify the company. However, MediSecure – a company that handles electronic prescriptions – has since released a statement acknowledging it was targeted in the breach.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems,” it read.
“While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.
“MediSecure takes its legal and ethical obligations seriously and appreciates this information will be of concern. MediSecure is actively assisting the Australian Digital Health Agency and the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.
“MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.”
Home Affairs Minister Clare O’Neil confirmed she had been briefed on the matter.
“I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today,” she wrote on social media site X.
“Updates will be provided in due course. Speculation at this stage risks undermining significant work underway to support the company’s response.”
In September 2022, Optus suffered a massive data breach that affected 10 million Australians and resulted in the driver’s licences, Medicare and passport numbers of 10,000 customers being stolen and leaked online.
It prompted the government to introduce tough penalties for companies that failed to protect the sensitive information of their customers.