Family Planning NSW exposes clients’ private health details in Anzac Day ransomware attack
AUSTRALIANS who contacted a family planning agency about sexual health issues have had data exposed in a ransomware attack. Experts warn there are more serious consequences.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
THOUSANDS of Australians who contacted a family planning agency about anything from abortions and contraception to sexual health tests and cancer screenings have had their private details exposed in a ransomware attack 20 days ago.
Family Planning NSW revealed anyone who had used the organisation’s website in the last two and a half years may have had their private information compromised in the attack, including details of “personal health information” as well as phone numbers, home addresses, and birth dates.
And computer security experts warned information stolen in ransomware attacks could be used to elicit money from the victims in future.
The cyber attack was one of several targeting vulnerable web software on Anzac Day this year, Family Planning NSW chief executive Ann Brassil said, and potentially exposed the details of about 8000 clients.
Ms Brassil said all information entered into the agency’s website could have been compromised in the April 25 attack, during which the hackers shut down its website and demanded $15,000 in Bitcoin to restore the information.
“We’re a reproductive and sexual health organisation,” Ms Brassil said.
“We work in all health issues in relation to family planning and reproductive health. All of that sort of information … people have put into the website; all of that sort of personal health information, and it’s all important to those individuals.”
But Ms Brassil said there was no evidence the family planning organisation had been targeted specifically, and “clinical data” about patients was secure as it had been stored on a separate, internal system.
“We are completely committed to the confidentiality of our clinical data,” she said.
“We would like people to continue to use our service … and we would like them to continue to trust us with that.”
The Australian Federal Police was now investigating the breach though it noted, “in most cases, Australian law enforcement will not have the jurisdiction to take action”.
Verizon principal consultant Chris Tappin said, while he couldn’t comment on individual cases, private information stolen from internet users could be used to break into their other online accounts, such as Gmail, or “tailor” email messages to dupe them into clicking on malicious web links.
“This is something people should use to think about their online security, change their passwords, and make sure they’re not using the same passwords across different services,” he said.
Verizon’s Data Breach Investigations Report last month revealed ransomware attacks had more than doubled since 2017 to become the most common online threat, and accounted for 700 incidents last year.
Despite the seriousness of the breach, Ms Brassil said the agency didn’t inform clients their information may have been stolen for 20 days as it took time to confirm data had been exposed, and set up an external security review and phone hotline for affected users.
The Family Planning NSW website remained suspended while it underwent a “security update,” though services continued at its five clinics yesterday.
Concerned Family Planning NSW clients can contact 1800 957 860 or respond@fpnsw.org.au for more information on the breach.