In May 2024, MediSecure, one of Australia's two national electronic prescription providers, confirmed it was the victim of a ransomware attack. Within weeks, the company was in administration. It became one of the most consequential cyber incidents in Australian history, not because of the attack itself, but because of what happened next.
The cascade
Approximately 12.9 million Australians were affected, making it one of the largest data breaches the country has seen. The compromised data included personal details, healthcare provider information and prescription records dating back to 2019. The company sought a financial bailout from the Commonwealth Government to fund its incident response. The request was denied, reportedly the first time a private company had sought government support in the wake of a cyber attack.
MediSecure entered voluntary administration in June 2024. FTI Consulting was appointed as administrators. The company was unable to identify the specific individuals impacted, despite making what it described as all reasonable efforts, due to the complexity of the dataset. The stolen data was reportedly sold on the dark web.
The governance conundrum
At the time, I raised what I thought was the most important question: where do impacted individuals turn when the breached entity no longer exists?
The answer, as it played out, was essentially nowhere. With the company in administration, there were insufficient resources to allow the public to make enquiries about whether their data was compromised. The 12.9 million affected Australians were left without a meaningful pathway to understand their exposure or seek redress.
This creates a gap in our governance and regulatory frameworks that remains unresolved. The Privacy Act contemplates obligations on entities that hold personal information, but those obligations become difficult to enforce when the entity ceases to operate. The Notifiable Data Breaches scheme assumes a functioning organisation on the other side of the notification.
What directors should take from this
MediSecure illustrates a scenario that most incident response plans do not contemplate: what happens when the breach is the event that ends the business? For organisations without deep financial reserves, particularly SMEs and not-for-profits, the MediSecure trajectory is not an edge case. It is a plausible outcome.
Directors should be asking whether their organisation's cyber resilience extends beyond technical controls to include financial resilience for a sustained incident response. They should also be examining whether their data holdings are proportionate to their operational needs. MediSecure held data from a service it no longer operated. That data became the liability that contributed to its collapse.
The question of what happens to data obligations when a company enters administration remains open. It deserves attention from policymakers and governance professionals alike.
A note on AI use
This article reflects the author's own analysis, experience, and professional judgement. AI tools were used during drafting to assist with structure, editing, and refinement. The ideas and positions expressed are entirely the author's own.
For more on how Wilk Advisory uses AI, see our AI use statement.