IDCARE as Australia’s national identity and cyber support community service has been engaged to assist individuals who have concerns about the exposure of their personal information.
IDCARE is an independent charity focused on supporting community members that have concerns about their personal, account or credential information.
We are extending our support to impacted persons of the MediSecure data breach via the provision of expert advice and IDCARE specialist Case Management services are available.
IDCARE Case Managers work every day with community members who experience the compromise or exploitation of their personal information. They understand the real risks, concerns and needs of our community.
General recommendations are provided below. If you have specific concerns or seek further guidance on the recommendations, please submit an MediSecure Get Help Form and indicate that your query is in relation to the MediSecure data incident.
Note that IDCARE's National Case Management specialises in cases where individuals believe they have experienced identity exploitation and misuse or have grave concerns about this risk.
MediSecure, an e-script service provider, experienced a cyber incident in mid-April 2024.
As a result of this incident, information provided to the company prior to November 2023, including prescriptions, health information, and other personal details, may have been exposed for impacted individuals.
Technical and forensic investigations are ongoing. Updates may be provided as those investigations progress. Stay abreast of developments on the Department of Home Affairs' website.
The exposure of personal information such as name, date of birth, and contact details can heighten risks around scammer engagement. In fact, notifications about a breach itself can also heighten risks, as scammers can seek to impersonate the breached organisation when engaging with notified persons.
Remain scam vigilant by:
Assuming that communications you receive may be from a scammer.
Make your own enquiries using an alternative contact method to the one they used.
Never give remote access to your devices if asked by someone who engages you.
Keep your passwords and codes to yourself. Sharing these with scammers may mean you breach the terms and conditions of the account providers (such as your bank) and any chance of recovering funds highly unlikely.
Staying abreast of the latest scams by visiting Scamwatch or by subscribing to IDCARE’s free community awareness bulletin, Cyber Sushi
If you believe you have responded to a scam engagement or are experiencing misuse, please complete a MediSecure Get Help form to request assistance.
IDCARE has formed response recommendations relating to the credentials potentially exposed as a result of the MediSecure cyber incident. IDCARE has been informed that not all attributes were exposed for each individual impacted. Please refer to your incident notification for specifics on what information of yours was exposed.
Potential Risks
Individually your full name and date of birth are low risk identity attributes, however in combination with other information (such as an address and phone number) scammers attempting to engage you can appear more legitimate.
Recommendations
You may see an increase in phishing attempts via email, text message or telephone calls, where the scammer uses details specific to you (such as your name and date of birth for ‘verification’).
Do not be pressured to respond. Be cautious of clicking on links in emails or text messages, no matter how legitimate they appear. If you want to know whether an organisation tried to get in touch with you, engage the organisation directly using contact details you know are correct.
Continue to remain vigilant to the potential for scams. You may like to watch IDCARE’s phishing 'how to' video for more useful tips.
Potential Risks
The exposure of a phone number may result in an increase of spam or scam phone calls and/or text messages. These can appear to be from legitimate phone numbers. These engagements may claim to be an authority or well known organisation, such as police, a telecommunications company, a financial institution, or a government entity. The messaging commonly comes with either a sense of urgency to act, such as a securing an account or taking action to avoid a penalty (such as a payment or fine), or, it may include an offer to incentivise you to receive a reward (such as a discount).
Recommendations
Be cautious of unsolicited phone calls and SMS messages impersonating a legitimate organisation. It is important to be aware that sometimes the number displaying on your caller ID is not always a true reflection of the number that is making the call or sending the message. You may like to have a look at our fact sheet on Caller ID spoofing.
Also be cautious of messages that include a link, which may contain malware or redirect you to a scam website that looks authentic. If you would like more information please have a look at our factsheet on SMS scams.
Potential Risks
For most individuals, a physical address is considered a low risk identity attribute. However, in combination with other information (such as your full name, date of birth, email address and phone number) scammers engaging you can appear more legitimate.
Reports made to IDCARE of cyber criminals physically attending a person’s home are extremely rare. Most scammers and cyber criminals are not located in Australia.
Some people may have specific concerns about the exposure of their address, such as survivors of domestic and family violence, or, due to other sensitive circumstances.
Recommendation
If you would like to discuss concerns about the compromise to your address, please submit a MediSecure Get Help form and a case manager will get in contact with you. If you have imminent concerns about a risk to your physical safety, please contact police immediately.
Potential Risks
You may see an increase in email phishing attempts, including from scammers claiming to be from the breached organisation. These emails may include malicious attachments or links to redirect you to a scam website. The messaging may encourage you to update or verify your details or there may be a suggestion you can access a reimbursement via a link or that you are required to make a payment.
Recommendations
Continue to remain vigilant about emails you receive. Having a little bit of information (such as a full name, date of birth, email address or phone number) can make the job of scammers much easier in convincing people about their deception. Be cautious before clicking on links in unsolicited or unexpected emails, no matter how legitimate they appear. Do not be pressured to respond. Instead, contact the organisation directly using contact details you have sourced and verified through a legitimate means, such as an official website or prior legitimate communications you have received. As an extra precautionary measure, ensure you are using an up-to-date antivirus application that includes email protection and scanning.
Information
If this information has been provided as part of your interactions with MediSecure, there is a potential risk that the card number and expiry details may have been compromised.
Potential Risks
This information does not pose a direct transactional risk, such as enabling access to DVA, health or financial records.
Recommendations
There is no requirement to take any action in relation to your DVA card, Commonwealth Seniors Health Card, Pension Concession card or Individual Health Identifier. DVA is examining other potential impacts to individual identity security associated with breached card numbers internally. For more information see the DVA's privacy information page.
Information
Medicare card details provided as part of obtaining your prescription have been compromised in this breach. The compromised information includes the Medicare card number, expiry date and the individual identifier (position number on the card).
Potential Risks
Services Australia advise that your Medicare account cannot be accessed with your Medicare card number alone, nor can the card number by itself be used as a proof of identity within their organisation, however, some organisations may accept Medicare card details for the establishment of new credit or debit accounts.
Replacing your Medicare Card
If you are concerned about your Medicare card, you can request a replacement card through your MyGov account or via the Express Plus Medicare mobile app. You will receive confirmation of the request and the new card details will be issued and available to be noted down for use until the physical card arrives. Alternatively, you can use a digital copy of the card through the app. If you prefer, you can call the Medicare General Enquiries line on 132 011 (available 24/7) to order a replacement card.
As a precautionary measure, you may also wish to consider requesting credit bans to protect against credit misuse attempts and checking your credit reports to ensure there are no indicators of credit misuse.
Information
Some of the information exposed in this breach was in relation to prescriptions issued, including medication names, dosage instructions and the reason for the prescription.
Potential Risks
Whilst this information does not pose a direct identity related misuse risk, we acknowledge that for some people there may be concerns that arise due to the sensitivities associated with the exposure of personal health information.
Recommendations
If you would like to discuss these concerns, please submit a MediSecure Get Help form and a case manager will contact with you.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.