SIGN UP FOR OUR NEWSLETTER

Want to keep informed? We’re making it easier. 

Sign Up
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

Medisecure incident response


IDCARE as Australia’s national identity and cyber support community service has been engaged to assist individuals who have concerns about the exposure of their personal information.

IDCARE’s Role in Supporting You

IDCARE is an independent charity focused on supporting community members that have concerns about their personal, account or credential information.

We are extending our support to impacted persons of the MediSecure data breach via the provision of expert advice and IDCARE specialist Case Management services are available.

IDCARE Case Managers work every day with community members who experience the compromise or exploitation of their personal information. They understand the real risks, concerns and needs of our community.

General recommendations are provided below. If you have specific concerns or seek further guidance on the recommendations, please submit an MediSecure Get Help Form and indicate that your query is in relation to the MediSecure data incident.

Note that IDCARE's National Case Management specialises in cases where individuals believe they have experienced identity exploitation and misuse or have grave concerns about this risk.

what happened?

MediSecure, an e-script service provider, experienced a cyber incident in mid-April 2024.
As a result of this incident, information provided to the company prior to November 2023, including prescriptions, health information, and other personal details, may have been exposed for impacted individuals.

Technical and forensic investigations are ongoing. Updates may be provided as those investigations progress. Stay abreast of developments on the Department of Home Affairs' website.

General Advice and Guidance

The exposure of personal information such as name, date of birth, and contact details can heighten risks around scammer engagement. In fact, notifications about a breach itself can also heighten risks, as scammers can seek to impersonate the breached organisation when engaging with notified persons.

Remain scam vigilant by:

Assuming that communications you receive may be from a scammer.

Make your own enquiries using an alternative contact method to the one they used.

Never give remote access to your devices if asked by someone who engages you.

Keep your passwords and codes to yourself. Sharing these with scammers may mean you breach the terms and conditions of the account providers (such as your bank) and any chance of recovering funds highly unlikely.

Staying abreast of the latest scams by visiting Scamwatch or by subscribing to IDCARE’s free community awareness bulletin, Cyber Sushi

If you believe you have responded to a scam engagement or are experiencing misuse, please complete a MediSecure Get Help form to request assistance.

Response Recommendations by Credentials

IDCARE has formed response recommendations relating to the credentials potentially exposed as a result of the MediSecure cyber incident. IDCARE has been informed that not all attributes were exposed for each individual impacted. Please refer to your incident notification for specifics on what information of yours was exposed.

Full Name & Date of Birth

Potential Risks

Individually your full name and date of birth are low risk identity attributes, however in combination with other information (such as an address and phone number) scammers attempting to engage you can appear more legitimate.

Recommendations

You may see an increase in phishing attempts via email, text message or telephone calls, where the scammer uses details specific to you (such as your name and date of birth for ‘verification’).  

Do not be pressured to respond. Be cautious of clicking on links in emails or text messages, no matter how legitimate they appear. If you want to know whether an organisation tried to get in touch with you, engage the organisation directly using contact details you know are correct.  

Continue to remain vigilant to the potential for scams. You may like to watch IDCARE’s phishing 'how to' video for more useful tips.

Phone Number

Potential Risks

The exposure of a phone number may result in an increase of spam or scam phone calls and/or text messages. These can appear to be from legitimate phone numbers. These engagements may claim to be an authority or well known organisation, such as police, a telecommunications company, a financial institution, or a government entity. The messaging commonly comes with either a sense of urgency to act, such as a securing an account or taking action to avoid a penalty (such as a payment or fine), or, it may include an offer to incentivise you to receive a reward (such as a discount).

Recommendations

Be cautious of unsolicited phone calls and SMS messages impersonating a legitimate organisation. It is important to be aware that sometimes the number displaying on your caller ID is not always a true reflection of the number that is making the call or sending the message. You may like to have a look at our fact sheet on Caller ID spoofing.

Also be cautious of messages that include a link, which may contain malware or redirect you to a scam website that looks authentic. If you would like more information please have a look at our factsheet on SMS scams.

Residential Address

Potential Risks

For most individuals, a physical address is considered a low risk identity attribute. However, in combination with other information (such as your full name, date of birth, email address and phone number) scammers engaging you can appear more legitimate.

Reports made to IDCARE of cyber criminals physically attending a person’s home are extremely rare. Most scammers and cyber criminals are not located in Australia.

Some people may have specific concerns about the exposure of their address, such as survivors of domestic and family violence, or, due to other sensitive circumstances.

Recommendation

If you would like to discuss concerns about the compromise to your address, please submit a MediSecure Get Help form and a case manager will get in contact with you. If you have imminent concerns about a risk to your physical safety, please contact police immediately.  

Email Address

Potential Risks

You may see an increase in email phishing attempts, including from scammers claiming to be from the breached organisation. These emails may include malicious attachments or links to redirect you to a scam website. The messaging may encourage you to update or verify your details or there may be a suggestion you can access a reimbursement via a link or that you are required to make a payment.  

Recommendations

Continue to remain vigilant about emails you receive. Having a little bit of information (such as a full name, date of birth, email address or phone number) can make the job of scammers much easier in convincing people about their deception. Be cautious before clicking on links in unsolicited or unexpected emails, no matter how legitimate they appear. Do not be pressured to respond. Instead, contact the organisation directly using contact details you have sourced and verified through a legitimate means, such as an official website or prior legitimate communications you have received. As an extra precautionary measure, ensure you are using an up-to-date antivirus application that includes email protection and scanning.

DVA Card, Commonwealth Seniors Health Card, Pension Concession Card, Individual Health Identifier

Information 

If this information has been provided as part of your interactions with MediSecure, there is a potential risk that the card number and expiry details may have been compromised. 

 

Potential Risks 

This information does not pose a direct transactional risk, such as enabling access to DVA, health or financial records.

 

Recommendations 

There is no requirement to take any action in relation to your DVA card, Commonwealth Seniors Health Card, Pension Concession card or Individual Health Identifier. DVA is examining other potential impacts to individual identity security associated with breached card numbers internally.  For more information see the DVA's privacy information page.

Medicare Card

Information

Medicare card details provided as part of obtaining your prescription have been compromised in this breach. The compromised information includes the Medicare card number, expiry date and the individual identifier (position number on the card).

Potential Risks

Services Australia advise that your Medicare account cannot be accessed with your Medicare card number alone, nor can the card number by itself be used as a proof of identity within their organisation, however, some organisations may accept Medicare card details for the establishment of new credit or debit accounts.

Replacing your Medicare Card

If you are concerned about your Medicare card, you can request a replacement card through your MyGov account or via the Express Plus Medicare mobile app. You will receive confirmation of the request and the new card details will be issued and available to be noted down for use until the physical card arrives. Alternatively, you can use a digital copy of the card through the app. If you prefer, you can call the Medicare General Enquiries line on 132 011 (available 24/7) to order a replacement card.

As a precautionary measure, you may also wish to consider requesting credit bans to protect against credit misuse attempts and checking your credit reports  to ensure there are no indicators of credit misuse.

Prescription Information

Information 

Some of the information exposed in this breach was in relation to prescriptions issued, including medication names, dosage instructions and the reason for the prescription.  

 

Potential Risks 

Whilst this information does not pose a direct identity related misuse risk, we acknowledge that for some people there may be concerns that arise due to the sensitivities associated with the exposure of personal health information. 

 

Recommendations 

If you would like to discuss these concerns, please submit a MediSecure Get Help form and a case manager will contact with you.