Hackers stole personal data including the health information of nearly 13 million Australians earlier this year, making it one of the nation's biggest cyber attacks.
Electronic prescriptions provider MediSecure on Thursday revealed 12.9 million customers had their data stolen, an unknown amount of which has been uploaded to the dark web.
The company first became aware of the breach on April 13 when suspected ransomware was discovered on a server containing the sensitive personal and health data, then publicly confirmed the attack in May.
MediSecure said Australians who used the company's prescription delivery service from March 2019 to November 2023 were impacted, their data stolen by a malicious third-party actor.
Among the 6.5 terabytes of data stolen are names, dates of birth, addresses, phone numbers, Medicare numbers, prescription information and the reasons for the medication.
A sample of personal information has been exposed on the dark web but the company said it was unable to identify specific individuals impacted due to the complexity of the data and the cost of doing so.
The federal government was not aware of publication of the full data set, National Cyber Security Coordinator Lieutenant General Michelle McGuinness said on X, formerly Twitter.
"No one should go looking for or access stolen sensitive or personal information from the dark web," Lt Gen McGuinness said on Thursday.
"This activity only feeds the business model of cyber criminals and can be a criminal offence."
People who go searching for their information on the dark web risk committing cybercrime if they deal with stolen personal information and can attract a five-year jail term.
"I understand many Australians will be concerned about the scale of this breach. I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams," Lt Gen McGuiness said.
MediSecure was one of two electronic prescription delivery services until late 2023, with the Australian government awarding the service exclusively to eRx Script Exchange.
The company appointed liquidators and went into administration in June, and is not part of Australia's digital health network.
National prescription delivery service eRx is not affected by this cyber incident, the government confirmed.
"Consumers can continue to access medicines safely, and healthcare providers can still prescribe and dispense as usual," it said.
Impacting almost half of the population, the MediSecure breach makes it one of the largest cyber attacks in Australia.
An attack on Optus in September 2022 affected 10 million users and another in October at Medibank impacted about 9.7 million people.
Those impacted by the cyber hack may see an increase in phishing, identity-related crime and cyber scam activities.
The national cyber security coordinator urged them to keep a lookout lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the company's data breach.
