Australian patient data breached for months in country's latest major cyber incident

An Australian pathology company, Medlab Pathology, suffered a data breach that led to its patients' data being leaked on the dark web for four months before the government's cyber security agency intervened.

Australian Clinical Labs (ACL), which acquired Medlab Pathology in December 2021, determined that the personal information belonging to around 223,000 individuals has been affected, with the individuals impacted largely confined to New South Wales (NSW) and Queensland.

The records breached of most concern are around 17,539 individual medical and health records associated with a pathology test and around 28,286 credit card numbers and individuals’ names.

Of these records, 15,724 have expired and 3,375 have a CVV code, and 128,608 Medicare numbers, a government national insurance programme, and an individual’s name. ACL publicly confirmed that Medlab experienced a cyber incident affecting patients and staff on 27 October.

Medlab became aware of unauthorised third-party access to its IT system in February 2022. ACL said it immediately coordinated a forensic investigation led by independent external cyber experts into the Medlab incident. At the time, the external forensic specialists did not find any evidence that information had been compromised.

In March, the company was contacted by the Australian Cyber Security Centre (ACSC) which said that it had received intelligence that Medlab may have been the victim of a ransomware incident.

The company responded to the request for information and confirmed that to its knowledge the company did not believe that any data had been compromised.

In June, ACL was again approached by the ACSC, suggesting that Medlab information may have been posted on the dark web. ACL took immediate steps to find and download the unstructured data set from the dark web and made efforts to permanently remove it.

“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred,” said Melinda McGrath, CEO at ACL. “We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected.”

The company also informed the Office of the Australian Information Commissioner (OAIC) that has been kept up to date on the progress of the forensic investigations into the incident.

ACL said that there is no evidence of misuse of any of the information or any demand made of Medlab or ACL, and that the compromised Medlab server has been decommissioned. ACL’s broader systems and databases are not affected by the attack either, it said.

Following advice from privacy and legal specialists in cyber matters, ACL said it implemented a programme to determine the nature of the information involved and any individuals that could be at risk of serious harm as a result of the incident.

It added that because of the complex and unstructured nature of the data set being investigated, it has taken forensic analysts and experts until now to determine the individuals and the nature of their information involved.

ACL will now commence the process of directly contacting at-risk individuals by email and postal mail, to provide them with information about the incident, how it affects them and additional steps that can be taken to protect their information, the company said.

The company will be offering free-of-charge credit monitoring and/or ID document replacements to individuals whose affected information types may put them at risk of credit and/or identity fraud, and is working alongside Federal and State government authorities in this regard.

The news comes after Australia has been rocked by a series of cyber attacks in recent months. Private health insurance provider Medibank revealed on 26 October that a cyber attack that hit it earlier in the month could set the company back by $35 million AUD (£19.5 million).

At the same time, the company disclosed that the attackers had access to all 3.9 million customers’ data, which is equivalent to around 15% of the population of Australia.

In October, Telstra, the country's largest telco, was hit by a data breach and advised customers to improve the security on their accounts. The incident involved the access of around 30,000 past and present employee details, with a third-party platform being affected in the attack.

Optus, another major telco, was also hit by a cyber attack in September which saw 10 million of its accounts affected. It warned 10,200 customers that their Medicare records were included in a cache the hackers was trying to hold to ransom online, with the government underlining that the breach had caused systemic problems for million of Australians.