This was published 11 months ago
Home Affairs flags probe of St Vincent’s cybersecurity after Christmas hack
By Rachael Dexter and Angus Thomson
St Vincent’s Health could be fined over the Christmas data hack if Home Affairs finds it failed to meet international cyber safety standards, as the Melbourne and Sydney hospitals are considered critical infrastructure.
A week after the theft of the data was discovered, the nation’s largest not-for-profit operator of aged care homes and hospitals is unable to say if patient data has been compromised, admitting in a statement released on Friday that while there was no evidence personal information had been stolen, they were still trying to work out what data had been stolen by cybercriminals.
A Home Affairs spokesperson on Friday said its Cyber and Infrastructure Security Centre “may choose to undertake regulatory investigations into this incident” once initial investigations were completed.
“Critical infrastructure entities with the Risk Management Program requirements are required to have a Risk Management Program in place already, including covering cyber risks,” the spokesperson said.
The discovery of the breach of the network’s defences came just one month after the federal government’s own long-awaited cybersecurity strategywarned the health care sector’s cyber defence systems were alarmingly unsophisticated.
“Our hospitals and general practitioners hold some of the most sensitive data about Australians and their families. However, the health sector also has one of the lowest cyber maturities across industry,” the report read.
A newly released study from global cybersecurity firm Proofpoint this month also found that over a third of Australia’s top-ranked private and public hospitals were failing on basic cybersecurity measures.
Several major public hospitals are listed as critical infrastructure under federal legislation- alongside other services designated essential for everyday life, such as energy, food, water, transport and communications companies.
A spokesperson for the hospital said it had a risk management plan in place as required by the regulator.
Two sources with knowledge of the investigation, who were not authorised to speak publicly, said between one to two gigabytes of data was stolen.
On Friday, the hospital network briefed its 30,000 staff and issued a public statement saying it had not detected any evidence that personal information was among the trove of copied data.
“Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity,” the statement read.
“Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.”
The federal government, which is working with St Vincent’s and cybersecurity consultants CyberCX on the investigation, also confirmed it was yet to receive any “notifications” that personal data had been stolen.
“With cyber incidents like these across a large network of many different systems, it often takes some time to confidently ascertain how the incident occurred, what the threat actor did, what systems they accessed and what was taken,” said acting national cybersecurity coordinator, Hamish Hansford.
Cyber Security Cooperative Research Centre chief executive Rachael Falk said that hospitals are custodians of “extremely sensitive data” and it was incumbent upon them to keep up with the latest standards set by the regulator.
“It’s another sobering reminder that we end 2023 with yet another data breach,” she said. “In particular, hospitals need to be on notice, and they need to [ask]: ‘have we got our cybersecurity settings right? Are we doing everything necessary to protect valuable patient data?’”
The federal opposition has seized on the government for a perceived lack of transparency and urgency over the data breach, which this masthead first revealed on December 22.
On Friday, shadow minister for health Senator Anne Ruston and shadow minister for home affairs James Paterson issued a joint statement stating it was “baffling” that neither Health Minister Mark Butler nor Home Affairs Minister Clare O’Neil had commented on the matter, leaving it to acting ministers to make public statements on the hack.
”Australians are rightly concerned about their privacy, especially with regard to personal health records,” they said. “The Albanese government must demonstrate to the Australian public that they are taking this matter seriously by being transparent about what they know and what they are doing.”
Butler and O’Neil are on leave.
The health provider said that it first “began responding to a cybersecurity incident” on December 19, but it was not until December 21 that St Vincent’s found that data had been removed from its network, according to the statement.
No cyber criminal activity has been detected on the network since December 20, a spokesperson said.
St Vincent’s operates hospitals across NSW, Victoria and Queensland, including three public and 10 private hospitals and 26 aged care facilities.
The health provider has stressed the hack has not affected its ability to run its hospitals or aged care facilities.
The attack is the latest data breach to hit a major Australian company, with Optus and Medibank suffering cyber incidents in late 2022, while major ports operator DP World Australia shut down its terminals last month after a major cybersecurity attack.
St Vincent’s has set up a dedicated support line for affected patients on 1300 124 507, as well as a dedicated email address stvincentscybersafety@svha.org.au
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.