MediSecure ransomware attack

In May 2024, MediSecure — one of Australia's two national electronic prescription providers — disclosed a ransomware attack that exposed the personal and health information of roughly 12.9 million Australians, making it one of the largest data breaches in Australian history and ultimately destroying the company.

What happened

MediSecure operated the digital infrastructure that allowed doctors to issue, and pharmacies to dispense, electronic prescriptions across Australia. The attack was later determined to have begun around 13 April 2024, with the company publicly confirming a "large-scale ransomware data breach" on 16 May 2024. The breach was traced to a third-party vendor in MediSecure's supply chain.

The stolen data was extensive. It included individuals' names, dates of birth, postal and email addresses, phone numbers, Individual Healthcare Identifiers (IHI), and Medicare card numbers, along with deeply sensitive clinical fields: prescription medication details, the medical reason for each prescription, and dosage instructions. The archive also contained Pensioner Concession, Commonwealth Seniors, Healthcare Concession, and Department of Veterans' Affairs card numbers.

Impact

Approximately 12.9 million Australians had data exposed — close to half the national population.
A threat actor advertised the stolen database for sale on a cybercrime forum for around US$50,000, and analysts assessed the data was likely sold.
The exposure of prescription and diagnosis data created uniquely sensitive privacy harms, revealing individuals' medical conditions.

Collapse of the company

Unable to absorb the costs of the incident and denied a government bailout, MediSecure entered voluntary administration in early June 2024, with FTI Consulting appointed as administrators. The company subsequently moved into liquidation, becoming one of the clearest cases of a business driven out of existence by a single cyberattack. Because MediSecure had already been superseded as the active national e-prescription provider, the breach did not disrupt ongoing prescription services, but it left a defunct company holding the liability for millions of records.

Why it matters

The MediSecure breach is a landmark Australian case on three fronts: the uniquely sensitive nature of prescription and diagnosis data, the supply-chain origin of the compromise, and the existential business risk of a major breach for a mid-sized health-tech firm. Arriving amid the post-Optus, post-Medibank reckoning over Australian data security, it reinforced national debates about data minimization and retention — why a legacy provider still held health records on nearly 13 million people — and accelerated reforms to Australia's privacy and critical-infrastructure regimes.

Timeline

April 13, 2024

MediSecure later determines the ransomware attack on its systems was identified to have begun around this date.

May 16, 2024

MediSecure publicly confirms a 'large-scale ransomware data breach' affecting personal and health information.

May 23, 2024

A threat actor advertises the stolen MediSecure database for sale on a cybercrime forum for around US$50,000.

June 3, 2024

MediSecure enters voluntary administration after failing to secure a government bailout.

July 18, 2024

Authorities confirm the breach affected approximately 12.9 million Australians.

October 1, 2024

MediSecure moves into liquidation as the ransomware investigation concludes.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/medisecure-e-script-firm-hit-by-large-scale-ransomware-data-breach/

hipaajournal.comhttps://www.hipaajournal.com/medisecure-ransomware-attack/

bankinfosecurity.comhttps://www.bankinfosecurity.com/e-prescription-vendor-breach-affects-129-million-aussies-a-25821

ia.acs.org.auhttps://ia.acs.org.au/article/2024/medisecure-in-administration-weeks-after-confirming-breach.html

pulseit.newshttps://www.pulseit.news/australian-digital-health/medisecure-in-liquidation-as-it-ends-ransomware-investigation/

Related incidents

RansomwareContainedOctober 13, 2022

Medibank ransomware (REvil-affiliated)

Russian-speaking attackers exfiltrated full health-claim records on 9.7 million current and former Medibank customers, then released them in tranches on the dark web after the Australian insurer refused to pay.

Victim: Medibank Private
Loss: $250.0M
Records: 9.7M

RansomwareContainedMay 8, 2024

Ascension Health ransomware attack

Black Basta ransomware crippled Ascension, one of the largest U.S. health systems, after an employee downloaded a malicious file. The attack forced 140 hospitals onto manual operations for weeks, diverted ambulances, and ultimately exposed the data of nearly 5.6 million patients.

Victim: Ascension
Loss: $1.80B
Records: 5.6M

RansomwareRansom paidFebruary 21, 2024

Change Healthcare ransomware (ALPHV/BlackCat)

ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.

Victim: Change Healthcare (UnitedHealth Group)
Loss: $2.87B
Records: 100.0M

RansomwareOngoingApril 21, 2026

Sterimed: internal files published after a cyberattack

On 21 April 2026, French medical-packaging manufacturer Sterimed was claimed by the Qilin ransomware group, which published internal files — technical documents, project data, HR records, IT-security material and system backups — on its dark-web leak site.

Victim: Sterimed