Clinical labs team working with microscope showing stolen patient data on dark web due to data breach

Australian Clinical Labs Questioned About Long Delay in Public Notification of Patient Data Theft; Records Have Been Available on Dark Web for Five Months

A February cyber attack on Australian Clinical Labs (ACL) led to patient data being made available on the dark web, and the security community is questioning why it took the better part of a year for the company to make a public disclosure.

The company reportedly detected the attack not long after it occurred and was contacted by government authorities in March, and were also notified in June that some of the patient data had been found available for sale on the dark we b. At least 223,000 records were taken in the breach, but apparently only a portion of them were made available in this way. About 10% of the records contained either medical or payment information, but more than half contained Medicare numbers.

Patient data theft notification comes eight months late, and five months after information spotted for sale

The ACL breach stemmed from Medlab, a subsidiary that provides pathology services and has been a major source of Covid-19 testing in the country. About 17,500 of the leaked records contained patient data associated with a pathology test. About 28,000 contained a credit card number, but a little over half of these are expired and only about 3,300 had a CVV attached. About 128,000 also had Medicare numbers paired with a person’s name, but these were line entries in a database and not scans of the full card. Assorted other internal business documents, including financial reports and contracts, were also reportedly made available via the dark web.

ACL has issued a statement indicating that there is “no evidence “of misuse of the leaked patient data, but the fact that some records have been found listed on dark web sites would appear to contradict that claim. The company has said that it is contacting impacted customers by phone and email, and that a crisis hotline has been set up for those that have confirmed their patient data has been leaked.

ACL has also said that it first learned of the attack in February, but that an initial internal investigation did not find that any data was stolen. The company was then contacted by the Australian Cyber Security Centre (ACSC) in March due to indications that there had been a ransomware incident. ACSC followed up in June to let ACL know that patient data had been spotted on the dark web.

Medlab says that the delay in reporting the incident was due to a lengthy analysis of the dark web patient data, which took several months. The company said that it did not want to cause “undue alarm and concern” for Medlab patients. However, cybersecurity experts question this decision, particularly as it has more recently been revealed that the data of all of Medlab’s patients may have been exposed and that the Quantum ransomware gang (notorious for specifically focusing on health care companies) is the perpetrator.

Dark web sales add to torrent of Australian personal information stolen in past month

ACL’s argument against a failure to observe compliance rules hinges on language used in the Privacy Act, the dated piece of legislation that governs most data handling and privacy issues (and is currently under review with a major update expected sometime in the next few months).

The company refers to the law’s requirement that notification be made in cases that are “likely to cause serious harm.” The Australian government was not formally notified until July, shortly after ACL had been told by the ACSC that patient data had been found on the dark web. The company’s apparent tack is to claim ignorance of the exfiltration of patient data based on its own internal investigation conducted shortly after the breach.

ACL’s timing in being “grandfathered” in under the present terms is thus lucky for the company; the current maximum penalty is only $2.2 million, and it would be incumbent upon prosecution in Federal Court to prove “serious harm” has been inflicted in some way if taking regulatory action. Lawmakers have already proposed raising the Privacy Act fines to $50 million or 30% of turnover, and this case has also prompted discussion about changing the terms to put the onus of proving that no damage was done to data subjects on the company.

The ACL incident follows several other high-profile incidents in Australia that date back to about a month ago. While it does not appear to be a coordinated campaign, the rash of thefts of sensitive information from millions of Australians has put cybersecurity and data handling regulation at the forefront of the national conversation.

Ken Jenkins, Vice President of Cybersecurity and Resilience Services at SecurityScorecard, sees this cluster of attacks and the imminent Privacy Act changes as a wake-up call for anyone doing business in the country, but particularly those that handle extremely sensitive items such as patient data: “The recent cyberattacks in Australia have highlighted the need for significant changes in cybersecurity processes throughout the country. The cyberattack on Australia’s Clinical Labs comes shortly after the attack on the country’s largest telecommunications Optus and one day after Medibank announced that its breach exposed the personal data of all of its customers. The cost of cyberattacks is the highest in the healthcare industry, as personally identifiable information (PII) can be sold for top dollar on the dark web, putting patients’ safety at risk. Cybersecurity challenges within the healthcare industry are increasing as the sector grows more dependent on technology to perform daily operations. Understanding these challenges can help to protect healthcare organizations from current and future threats. Healthcare organizations must take steps to improve their cyberhealth. This includes monitoring expansive vendor and IoT ecosystems. Health organizations can quickly identify risks and prioritize remediation activities when they have a comprehensive view of their IT infrastructure.”

“While staying compliant is important, it cannot be the only step in an organization’s security strategy. Compliance consists of policy, procedures, plans, and implementation but doesn’t necessarily include measuring and managing the effectiveness of security controls and posture. With the lack of staff and resources caused by the COVID-19 pandemic, it is essential that organizations proactively and continuously assess security controls via a trusted third party Additionally, security teams should participate in tabletop exercises and threat emulation to ensure they are familiar with countering and responding to threat actors,” recommended Jenkins.