Australian clinical labs asked about long delay in public notification of patient data theft; The recordings have been available on the Dark Web for five months

A cyberattack in February against Australian Clinical Labs (ACL) led to patient data being made available on the dark web, and the security community is wondering why it took the company nearly a year to do so. public disclosure.

The company reportedly detected the attack shortly after it happened and was contacted by government authorities in March, and was also informed in June that some of the patient data had been found available for sale on the dark web. At least 223,000 records were seized in the breach, but apparently only a fraction of them were made available in this way. About 10% of the records contained medical or payment information, but more than half contained health insurance numbers.

Patient data theft notification comes eight months late and five months after the information went on sale

The ACL breach stems from Medlab, a subsidiary that provides pathology services and has been a major source of Covid-19 testing in the country. About 17,500 of the leaked records contained patient data associated with a pathology test. About 28,000 contained a credit card number, but just over half of them expired and only about 3,300 had a CVV attached. About 128,000 also had health insurance numbers associated with a person’s name, but these were line entries in a database, not scans of the full card. Various other internal business documents, including financial reports and contracts, were also reportedly made available via the dark web.

ACL released a statement saying there is “no evidence” of misuse of leaked patient data, but the fact that some records were found listed on dark websites would seem to contradict that claim. The company said it was contacting affected customers by phone and email, and a crisis hotline had been set up for those who confirmed their patient data had been leaked.

ACL also said it first learned of the attack in February, but an initial internal investigation found no data theft. The company was then contacted by the Australian Cyber ​​Security Center (ACSC) in March due to indications that there had been a ransomware incident. The ACSC followed up in June to let the ACL know that patient data had been spotted on the dark web.

Medlab says the delay in reporting the incident was due to a lengthy analysis of patient data on the dark web, which took several months. The company said it did not want to cause “undue alarm and concern” to Medlab patients. However, cybersecurity experts question this decision, especially since it was revealed more recently that the data of all Medlab patients may have been exposed and that the Quantum ransomware gang (known to specifically focus on health care companies) is the author.

Dark web sales add to torrent of Australian personal information stolen in last month

ACL’s argument against violating compliance rules rests on the language used in the Privacy Act, the dated legislation that governs most data handling and privacy issues (and is currently under review with a major update expected in the coming months).

The company refers to the law’s requirement that notification be made in cases “likely to cause serious harm”. The Australian government was not officially informed until July, shortly after the ACC informed the ACL that patient data had been found on the dark web. The company’s apparent tactic is to pretend to ignore the exfiltration of patient data based on its own internal investigation conducted shortly after the breach.

The moment when ACL benefits from the “grandfather” under current conditions is therefore a chance for the company; the current maximum penalty is just $2.2 million, and the onus would be on the Federal Court prosecution to prove that “serious harm” was inflicted in some way if they took regulatory measures. Lawmakers have already proposed to increase privacy law fines to $50 million or 30% of turnover, and this case has also sparked discussions about changing the terms to impose the charge. to prove that no damage has been caused to the persons concerned by the company.

The ACL incident follows several other high-profile incidents in Australia dating back to around a month ago. Although it may not appear to be a coordinated campaign, the wave of thefts of sensitive information from millions of Australians has brought cybersecurity and data processing regulation to the forefront of the national conversation.

Ken Jenkins, vice president of cybersecurity and resiliency services at SecurityScorecard, views this cluster of attacks and impending privacy law changes as a wake-up call for anyone doing business in the country. , but especially for those dealing with extremely sensitive items such as patient data. “Recent cyberattacks in Australia have highlighted the need for significant changes to cybersecurity processes across the country. The cyberattack on Australia’s clinical labs comes shortly after the attack on the country’s largest telecommunications network, Optus, and a day after Medibank announced that its breach exposed the personal data of all of its customers. The cost of cyberattacks is the highest in the healthcare industry, as personally identifiable information (PII) can be sold for high prices on the dark web, putting patient safety at risk. Cybersecurity challenges in the healthcare industry are increasing as the sector becomes increasingly reliant on technology to perform day-to-day operations. Understanding these challenges can help protect healthcare organizations against current and future threats. Healthcare organizations need to take steps to improve their eHealth. This includes monitoring large vendor and IoT ecosystems. Healthcare organizations can quickly identify risks and prioritize remediation activities when they have a complete view of their IT infrastructure.

ACL reportedly detected the #cyberattack shortly after it happened and was contacted by government authorities in March, and was also told in June that some of the #patient data was available for sale on the #darkweb . #cybersecurity #respectdataClick to tweet

“While staying compliant is important, it can’t be the only step in an organization’s security strategy. Compliance includes policy, procedures, plans, and implementation, but does not necessarily include measuring and managing the effectiveness of controls and security posture. With the lack of personnel and resources caused by the COVID-19 pandemic, it is essential that organizations proactively and continuously assess security controls via a trusted third party. In addition, security teams must participate in exercises tabletop and threat emulation to ensure they are familiar with countering and responding to threat actors,” Jenkins recommended.

Comments are closed.