Australia's Cyber Security Coordinator says the large-scale ransomware data breach of e-script provider MediSecure was an "isolated" attack, though she warns cyber criminals are likely to target the health industry again.
The company, which facilitates electronic prescriptions and their dispensing, did not reveal how many Australians were affected.
Lieutenant General Michelle McGuinness confirmed that last week's "significant" data breach contained Australians' personal and health information.
An investigation is underway to determine whether identity documents and Medicare cards were compromised.
"We believe it's an isolated incident, and that no other entities are impacted," she told ABC News Breakfast on Friday morning.
When asked who was behind the ransomware attack, the lieutenant general said she would not provide further detail on that matter.
MediSecure pulled its website on Tuesday, saying it was gathering more information and that "early indicators suggest the incident originated from one of our third-party vendors".
Lieutenant General McGuinness said there was no indication that any information from the data breach had been shared or published yet.
"We have not seen evidence so far to suggest that anyone needs to replace their Medicare card," she said in a statement.
"If our investigation turns up any evidence to suggest Australians' identities are at risk and they need to replace their documents, we will let them know."
Lieutenant General McGuinness said authorities were working closely with MediSecure to be "prepared and best postured" to support anyone whose information was compromised.
However, president of the Australian Medical Association Steve Robson said he attended a briefing on Friday and the scale of the cyber breach is not yet fully known.
"It is early days," he said.
"It's not clear exactly what data have either been accessed stolen, blocked or whatever and these things can be complex.
"I think the scale of what's happened is going to take time to fully be revealed."
He saide-prescriptions went through a massive explosion over the last few years.
"Certainly MediSecure were a large part of that group," he said.
"So we would anticipate that many doctors and many patients around the country will have data in the database."
Lieutenant GeneralMcGuinness said those affected by the breach did not have to take any action right now and would be contacted by MediSecure if their personal information is released.
"We do not recommend that anyone pays ransom — that just builds a cycle with the criminals," she said.
"It provides financing for further ransoms and there is no guarantee that we get the data back or that the data is shared anyway."
Health data will 'continue to be targeted'
The cyber security chief said authorities at the state and federal level were continuing to investigate the breach and were monitoring the situation to reduce harm.
"MediSecure has been incredibly transparent and working very closely with all stakeholders to ensure we get the best outcome for Australians," she said.
But the lieutenant general warned the latest data breach will probably not be the last.
"We'd be naive to think we won't continue to be targeted, particularly the health industry," she said.
"It [has] data rich information, particularly sensitive data, and criminals will continue to respond."
She said some basic precautionary measures that every Australian could take to prevent data breaches include updating software, applying multi-factor authentication and using unique and complex passwords.
"These are things that will lift our cybersecurity posture as a nation and make us more secure," she said.
She said the government was also working to build its cyber "resilience" against attacks and to ensure its ready to rapidly respond to any data breaches.
Privacy Commissioner Carly Kind told the ABC this incident is a reminder privacy protections across the Australian economy are not where they should be.
"For me, this is a reminder that this is a live issue and that the Australian community are deeply affected through these kinds of incidents, and that we need legislative reform to meet the challenges of this new era."
She said the Privacy Act needs to be expanded to cover small businesses as currently 95 per cent of Australian businesses don't have any privacy obligations.
"That needs to change,and my office requires more powers to investigate and to enforce privacy infringements," she said.
"Currently, we're limited to seeking civil penalties from the federal court in specific incidents where there's serious and repeated interferences with privacy.
"And we'd like to see the scope of those powers expanded to enable us to enforce lower-tier penalties."
She said that privacy reform is urgent.
"This is now a feature of our day to day lives, and we need to make sure that protections for personal information are commensurate with that new threat."
Associate Professor in Law and Justice for the University of New South Wales, Katharine Kemp, says it is concerning that there is not more funding to combat privacy breaches.
"It is concerning that in this latest budget, the funding for the OAIC has been cut, by about $11 million at a time when privacy risks and harms are only increasing."
'All kinds of risks'
Given the ongoing investigation, it is not yet clear what the impact from the MediSecure data breach will be on affected Australians.
The chief executive officer at the Consumer Policy Research Centre, Erin Turner, said a medical data breach can put people "at all kinds of risks if it is available to bad actors".
"That can be everything from identity theft. If there's enough information there they could, for example, take out loans in your name," she said.
"Or in other quite terrifying situations, your information may be used against you or to manipulate you, to scam you, to be held against you."
Ms Turner said all Australian companies needed to make better plans for communicating data breaches with customers.
She said "vague and unclear" statements from companies were not enough.
"This is yet another large-scale data breach where the people affected don't yet know. They don't know what data of theirs might be captured," she said.
"They're just left in an anxious, horrible state waiting for this to be confirmed."
According to the centre's research, half of Australians did not know what to do when their data was breached.
"If you're caught up by this, you can go to the company and if you're unhappy, you can go to the OAIC [Office of the Australian Information Commissioner], the regulator for this issue," Ms Turner said.
She added it was "really disappointing" that Australian laws around data breaches did not address what customer care operations needed to take place after an incident.
"We've seen again and again, whether it's Qantas, Optus, now MediSecure, there's very little information about what affected customers can do or should know."
The ABC has sent MediSecure detailed questions but has been directed to its website for updates.
Loading...
Posted, updated
