DBG Health
Summary
DBG Health, an Australian pharmaceuticals and healthcare firm that owns the country's largest generic drug manufacturer Arrotex, suffered a ransomware attack in August 2024. The newly emerged Morpheus ransomware gang claimed responsibility in January 2025, posting employee passport scans and confidential business documents to the dark web as proof. DBG Health acknowledged the breach on 25 August 2024, confirming unauthorised access to a storage server.
What Happened
On 25 August 2024, DBG Health and its related companies, including Arrotex, became aware that an unauthorised third party had gained access to a DBG storage server and exfiltrated data. The Morpheus ransomware gang, which appeared to list DBG's subsidiary Arrotex Pharmaceuticals as their first victim, claimed responsibility for the breach in January 2025.
The attackers posted proof-of-hack data including employee listings with phone numbers and email addresses, pharmaceutical documents from the Therapeutic Goods Administration, and valid passport scans belonging to current or former employees. The stolen data reportedly included confidential documents, recruitment information, partner details, case reviews, sales and distributor data, and business plans.
Impact on Individuals
The breach exposed sensitive employee information including:
- Valid passport scans that could be used for identity theft
- Employee contact information including phone numbers and email addresses
- Employment and recruitment records
DBG Health owns Arrotex, which fulfils half of all prescriptions under the federal government's Pharmaceutical Benefits Scheme annually, making this a significant breach in Australia's pharmaceutical supply chain.
Organisational Response
DBG Health publicly acknowledged the cybersecurity incident on 25 August 2024, confirming unauthorised access to their storage server. The company has not publicly disclosed details of their remediation efforts or whether they engaged with law enforcement regarding the breach. +++