- Exclusive
- National
- Victoria
- Healthcare
Cyberattack linked to two Melbourne hospitals exposes patient details on dark web
By Henrietta Cook and Broede Carmody
Private details of hundreds of patients linked to at least two major Melbourne hospitals have been leaked on the dark web following a cyberattack.
The stolen data – which included sensitive health information, contact details and Medicare numbers – belonged to the patients of a cardiologist who works at the Epworth and Royal Melbourne hospitals and also runs a private practice.
Many of the affected patients had links to the Epworth.Credit: Eddie Jim
The leak has shone a spotlight on a surge of data breaches involving health services, as hackers increasingly target small GP clinics, allied health providers and the offices of specialist doctors.
The Melbourne cardiologist, who this masthead has chosen not to name, emailed his patients on June 9 to inform them of the breach and warned them to be alert for email, text message or telephone scams.
The data was leaked after the specialist failed to pay a ransom to the hacker. It’s unclear how much the ransom was.
“I’m writing to let you know my private practice rooms ... [have] become a target of cybercrime, where an unauthorised third party gained access to my systems and removed data from my network,” he said in the email.
The cardiologist emailed patients again on June 19 and said that a cyber forensic expert had identified that their personal information “may have been removed from our systems and made available online”.
It’s understood that the majority of affected patients attended the cardiologist’s private consulting rooms from the Epworth, Melbourne’s largest not-for-profit private hospital. A smaller number were referred via the Royal Melbourne.
One patient said he was shocked to learn his private details had been accessed by a hacker.
“You expect that when you go to somewhere like the Epworth and see their specialists that the patient information that the hospital has passed onto the specialist will remain secure,” he said.
“It’s disappointing.”
The alleged hackers initially boasted online that they had breached Epworth’s IT systems.
But an Epworth spokeswoman said the hospital had conducted a thorough investigation and there had been no such breach. She said the issue related to another health service provider that was not connected to the Epworth’s IT environment.
“The third party has been notified,” she said. “Patient care remains fully operational and safe across all Epworth hospitals.”
A Royal Melbourne Hospital spokeswoman said the health service had also conducted a thorough investigation and its systems had not been breached or compromised.
The Office of the Australian Information Commissioner has been notified of the incident.
Health services have reported the most data breaches to the commissioner since 2018. There were 121 breaches between July and December last year, up from 79 over the same period in 2022.
Health service providers now make up about 20 per cent of all breach notifications, followed by the Australian government (17 per cent) and the finance sector (9 per cent).
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely,” a spokeswoman for the commissioner said, adding that she could not comment on specific breaches.
“This is very important for health service providers given the sensitive information they hold.”
Megan Lane, health and aged care lead for CyberCX, the country’s largest cybersecurity firm, said third-party healthcare providers represented the industry’s “soft underbelly”.
“While hospitals might seem like an obvious target, it is the thousands of GPs, specialists, and allied care providers scattered across the care economy that are targeted up to 10 times more,” Lane said.
“These businesses process incredibly sensitive personal and medical information, but are less heavily cyber-regulated, and tend to outsource technology and IT decision-making and management which often leaves them more vulnerable.”
RMIT professor Matt Warren, from the university’s Centre for Cyber Security Research & Innovation, agreed.
“Health contractors tend to be smaller organisations. They become a more attractive target for hackers who are after patient details.”
A specialist doctor, who did not want to be identified, said his practice in regional Victoria had to pay $25,000 to a hacker in 2022 after they took control of patient files and prevented medical staff from accessing them.
“It was extremely stressful,” he said. “We attempted to open the electronic patient files on a Monday morning but were shut out for four days … all the patients were coming in and we had no idea who they were.”
He said health providers went to great lengths to protect their patients’ data, but hackers still found a way to evade these protections.
In April 2024, 12.9 million Australians – about half the population – had their data stolen in an attack on electronic prescription provider MediSecure. Some 6.5 terabytes of data, including insurance numbers and names and addresses, was subsequently published on a Russian hacking forum and MediSecure then went into administration.
The year prior, the details of almost 10 million current and former Medibank customers – including birthdates and passport numbers – were stolen.
The cardiologist was contacted for comment.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.