MediSecure confirmed that the attack happened earlier this year but the company can’t afford to find out who has fallen victim to the breach.

MediSecure, which facilitates electronic prescriptions and dispensing, went into voluntary administration in June with the government declining to provide a bailout.

On Thursday evening it provided an update on the April hack, saying more than 12 million Australians had been affected.

“MediSecure can confirm that approximately 12.9 million Australians are impacted by this incident based on individuals’ healthcare identifiers,” administrators FTI Consulting said in a statement.

“However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.”

The impacted server held an enormous amount of data stored across a number of data sets.

“This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the statement continued.

MediSecure doesn’t even know what data was affected, only that 6.5 terabytes - the equivalent of billions of pages of text - was stolen.

“The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor, however the encrypted server could not be examined to ascertain the information specifically accessed,” the administrators said.

The hack happened in April, but MediSecure didn’t notify the public of the incident until May.

The ABC reported that a sample of the data has been published on the darkweb but there is no indication the larger amounts will be released.

It is thought the data included details of prescribed medications, the name of the drug, its strength, quantity, repeats, the reason for their prescription, and instructions for taking the medication.

National Cyber Security Coordinator Lieutenant General Michelle McGuinness said people should keep using the service to access their prescriptions.

“There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions,” she said on X.

“At this time, the Australian Government is not aware of publication of the full data set. No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence.

“I understand many Australians will be concerned about the scale of this breach. I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams.

“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.”

The breach is bigger than the Optus hack of 2022 in which 10 million Australians had their data stolen.

The cyber attack meant that around 2.9 million Aussies had extremely sensitive data stolen, including passport and driving licence numbers.

Originally published as 12.9m Aussies hacked in major data breach