Ten years worth of pathology referral letters may have been exposed in a cybersecurity incident affecting the Victorian pathology clinic TissuPath.
The government is aware of the data breach as well as potential incidents affecting real estate firm Barry Plant and owners corporation management company Strata Plan, national cybersecurity coordinator Darren Goldie said in a statement.
TissuPath apologised to affected patients and said it was investigating the potential exposure of data that included scanned pathology request forms with information such as patient names, dates of birth, contact details, Medicare numbers and private health insurance details.
“Importantly, TissuPath’s main database and reporting system that stores patient diagnoses was not compromised,” the company said.
“Further, we do not store patient financial details and other personal information documents, such as drivers licence numbers.”
The three incidents were linked on a dark web site to the notorious ransomware gang ALPHV, but Goldie declined to attribute the attack.
“Given the sensitivities of the incident, the National Cyber Security Coordinator is overseeing a whole-of-government response to the Tissupath incident,” he said.
TissuPath said the data obtained potentially included referrals for suspected cancer patients between 2011 and 2020. The company indicated this kind of data is kept for 20 years under National Pathology Accreditation Advisory Council (NPAAC) guidance.
The company said it has sent a notification letter to all primary referring doctors about the incident, and is in the process of contacting all affected individuals.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has been in contact with TissuPath, and the company also notified the Office of the Australian Information Commissioner.
“ACSC continues to monitor the situation, providing technical advice and assistance to organisations as required,” an Australian Signals Directorate spokesperson said.
The breach was first reported by Cyber Security Connect, while TissuPath also confirmed the timeline on its website. The incident, reportedly discovered on 24 August, was caused by an attack on a third party supplier that led to a storage drive being accessed.
Barry Plant’s chief executive Lisa Pennell said one of the company’s offices in Blackburn in Melbourne’s east had been the victim of a cyber incident linked to the compromise of an external service provider, but that the Barry Plant Group’s systems had not been impacted.
“We have become aware that a third party supplier to a small part of the property management business of one of our franchised offices has had a cyber incident,” she said in a statement.
“We are supporting our franchisee and have engaged market leading experts to help us assess the situation.”
A Strata Plan spokesperson said: “We are aware of a cyber attack against a third party service provider of Strata Plan and an allegation that it has impacted some of our data.
“This is being investigated with the assistance of cybersecurity experts. As the investigation is ongoing, we are unable to provide any further comments at this stage.”
The ALPHV group is linked to the hack of Australian law firm HWL Ebsworth in April. The company, which provided advice to dozens of government departments and agencies, successfully applied for an injunction against the use of its stolen data.
Do you know more? Please email abogle@protonmail.com
