DBG Health Hack: Cyber Criminals Target Pharma Empire and Steal Ex-Employees' Payroll Information
Australia's largest provider of prescription medicines, DBG Health, has been hit by a devastating cyber attack. The company, which generates around $2 billion in annual revenue, has confirmed that sensitive payroll information of an unknown number of former employees was stolen during the breach.
According to a spokesperson for DBG Health, last year the company identified a limited incursion on an isolated server holding a number of employee records. The incident was halted, and the company immediately engaged specialist cyber security and legal experts to forensically analyse the impacted server. The experts notified and fully engaged with the appropriate authorities, contacted relevant employees, and offered any assistance required.
DBG Health has more than 1,400 employees working across its global portfolio, which includes businesses such as Arrotex, VidaCorp, AXE Health, IPA, and myDNA Inc. The company owns Australia's largest generic drug manufacturer, Arrotex, which fulfills half of all scripts filled under the federal government's Pharmaceutical Benefits Scheme every year.
Last month, DBG Health's billionaire boss Dennis Bastas notified former employees that cyber criminals had stolen their personal and payroll information. In an email obtained by The Nightly, Mr Bastas advised former employees on what happened, what information was affected, how this may impact them, and the steps the company had taken to protect them.
“We have confirmed that data stolen by cyber criminals last year includes some of your information from our payroll system,” he wrote. “Our investigation indicates your stolen data includes information taken from our payroll system, saved from when you were employed in our business.” This included bank account details and tax file numbers (TFN).
The company immediately engaged an expert third party to investigate and subsequently identified some employees whose personal information had been compromised. An initial notification was made to those employees at the time, which was completed in January 2025.
After an extensive and time-consuming review that involved rebuilding servers to determine exactly what was taken, EY's Cyber Security Centre confirmed that additional payroll information was stolen. The company is now notifying impacted employees as quickly as possible after this was confirmed.
The Stolen Data
The stolen data includes payroll information from DBG Health businesses. However, former staff have been told their records included salary, superannuation payables, and contact information. While the data had been stolen, there is no evidence that it has been used by cyber criminals.
The Hackers
A Ransomware gang called Morpheus claimed responsibility for hacking into DBG Health's server last August. According to Morpheus, the volume of extracted data ready for sale or publication was nearly 2.5 terabytes. The hackers boasted that the stolen data included confidential documents, recruitment information, DBG partner information, case reviews, sales and distributor data, and business plans.
The Investigation
Cyber Daily reported in January that Morpheus had published two valid passport scans that appeared to belong to prior or current employees of DBG Health. The hackers also published two pharmaceutical documents from the Therapeutic Goods Administration.
The Response
DBG Health has taken additional security measures to further restrict access and strengthen system monitoring and detection. A dedicated information line was set up for impacted employees to ask questions and receive advice about the situation. The company will continue to monitor and detect if the stolen data is sold or misused on the dark web.
The Company's Response
Dennis Bastas, DBG Health's billionaire boss, has expressed regret that former employees' information was impacted. He stated that while there was no evidence that the stolen data had been used by cyber criminals, EY would continue to monitor and alert him if any changes occurred.