Security agencies mobilise to stem attack on operator of 10 hospitals and 26 aged-care facilities

Alarm bells have been set off across the nation amid the breach at St Vincent’s, operator of 10 hospitals and 26 aged-care facilities in New South Wales, Queensland and Victoria.

Sarah Ison, Joseph Lam and David Murray

2 min read

3:02PMDecember 22, 2023.

Updated 5:33PMDecember 22, 2023

The Australian Business Network

St Vincent’s operates 10 hospitals and 26 aged-care facilities across Australia. Picture: Monique Harmer

Cyber criminals have hacked into one of Australia’s biggest health networks, stealing data in an attack that has set off alarm bells across the nation.

The federal government’s cyber security defence capabilities have joined forces to contain and investigate the extent of the breach at St Vincent’s, operator of 10 hospitals and 26 aged-care facilities in NSW, Queensland and Victoria.

It’s the latest in a series of major cyber attacks over the past 18 months that have led to tens of millions of people having their records stolen or data compromised from organisations including Medibank, Optus and Latitude Financial.

St Vincent’s confirmed on Friday it was the target of a cyber security breach which it had first detected and begun responding to on Tuesday.

Initial investigations led to the health network on Thursday discovering data had been removed from its systems.

“St Vincent’s is working to determine what data has been removed,” a spokesman for the organisation, which employs 30,000 people across the country, said on Friday.

Two sources close to the investigation said there had been no communication from the criminals as of Friday afternoon.

The healthcare sector globally has been the target of malware attacks that lock down an organisation’s data until a ransom is paid, severely impacting services and posing a direct threat to patient safety.

St Vincent’s has instead been the victim of theft, leaving services functioning normally.

“It’s a really small amount of information at the moment. There’s been no ransomware deployed in the system,” one source said.

However investigators were still seeking to confirm if more data was stolen, how long the cyber criminals were in the system and what else they did while they had access, along with trying to determine who was behind the attack.

Shortly after the St Vincent’s statement, Acting National Cyber Security Co-ordinator Hamish Hansford confirmed he was working with the health network, alongside the National Office of Cyber Security and the Australian Signals Directorate to contain the breach and investigate possible damage.

“My team is working with Services Australia, the Department of Health and Aged Care, and relevant state and territory agencies to ensure a co-ordinated government response to this incident and to mitigate any flow-on effects,” Mr Hansford said.

“We’re advised that this incident has not affected the ability of St Vincent’s to deliver their important services to patients, residents, and the broader community across their hospital, aged care, and virtual and home health networks.”

A hospital spokesman said an investigation was underway as was an action plan with “key activities (which) include securing and containing the incident, understanding what the cyber criminals have done, and identifying what data may have been accessed and stolen”.

The St Vincent’s breach arrives just one month after a cyber attack on a multinational logistics operator which controls four Australian ports responsible for 40 per cent of the nation’s exports.

The breach on the Australian arm of Dubai-based DP World on November 10 shut down the company’s ports in Brisbane, Sydney, Melbourne and Perth, and resulted in a backload of 30,000 containers.

The breach at the time sparked major concerns over the ability for imports to reach Australian shelves in time for Christmas.

It was later revealed the personal details of former and current staff were stolen by a hacker.

A St Vincent’s spokesman said the hospital network was still able to function despite early mitigation efforts to contain the breach.

“Our priority is the health and safety of our patients, residents, and our people, and the continuity of St Vincent’s services for the community,” he said.