
Australians’ medical records and patient information could be sold on the hidden market, an expert has warned, after a cyber-attack at one of the nation’s biggest healthcare providers.
Partnered Health revealed 21 clinics across several cities including Sydney, Melbourne and Canberra were affected when a “malicious actor” accessed its data on 23 June.
Medical information including treatment details, consultation notes, referral letters and pathology or diagnostic results is believed to have been stolen, alongside Medicare numbers, private health insurance details, names, dates of birth, addresses and more.
Patients and stakeholders affected by the breach have been contacted, but a Partnered Health spokesperson told Guardian Australia it was not in its patients’ interests to publicly discuss the number of people affected.
The company said it had obtained an interim injunction from the New South Wales supreme court ordering the accessed data not be used or published.
While this could prevent the dataset from being released on a regular website, it was unlikely to stop it from being sold on the hidden market and dark web, the University of Melbourne information systems senior lecturer Dr Suelette Dreyfus said.
Personal medical information is particularly valuable, according to Dreyfus, with reports of it selling for up to US$250 per record, compared with personal information like name and address which sell for a few cents each.
“You can match it with information in other datasets, and this means the profile you’re able to build of someone is much more detailed and potentially much more dangerous to privacy,” she said.
“It could really disrupt a person’s life if they had a medical condition like a long-term disease – the risk is pretty substantial.”
It is also possible someone may have placed an order with the attackers to target a specific company or person, she said.
In 2018, the details of 1.5 million Singaporean patients were stolen, with unidentified state actors specifically targeting the country’s prime minister, Lee Hsien Loong.
Unlike financial data breaches, where victims can mitigate potential damage by changing passwords and credit cards, those who lose their medical records have less recourse.
“It’s pretty hard to change your medical history once it’s bolted out the door due to a cyber-attack,” Dreyfus said.
She urged Australians to stay vigilant about any unusual activity in their accounts, ensure their devices have the latest security updates, and change their passwords regularly.
Governments and institutions should also increase practical cybersecurity training, build more public awareness and support research to prevent attacks, she said.
This is not the first time Australians have had their data put at risk in a cyber-incident.
In 2022, the personal details of 9.7 million current and former Medibank customers were published on the dark web after the company refused to pay a hacker group.
Three years earlier, the Victorian auditor general exposed cybersecurity weaknesses by using “basic hacking tools” to access sensitive patient data at three hospitals.
It made recommendations to the department of health and hospitals, which were accepted.
Though doctors and nurses would be sensitive to the importance of patient privacy, medical institutions do not always prioritise the cybersecurity element of the services they provide, Dreyfus said.
“They’re thinking about it in terms of not giving someone’s ex-husband this information about his ex-wife,” Dreyfus said.
“But that’s obviously a different thing than an attacker who goes in for a wholesale swipe of the hospital’s information.”
The incident has also been reported to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and law enforcement.
View original source — The Guardian ↗



