Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people.
ACL is an Australian healthcare company that operates 89 laboratories and performs six million tests annually, offering its services to 92 private and public hospitals across Australia.
While the firm says it’s not aware of any misuse of the stolen information, it is notifying all impacted clients individually of what data was exposed in the attack.
A data breach incident notification published today gives the following summary of leaked data:
128,608 Medicare numbers, along with full names.
28,286 credit card numbers, 12% of which include CVV code, and 55% expired.
17,539 individual medical and health records associated with pathology tests.
Australia’s Cyber Security Center (ACSC) and the Office of the Information Commissioner (OAIC) have already been notified about the incident earlier in the year, with ACSC initially warning MedLab that hackers posted their data to the dark web.
All impacted individuals will also be offered free-of-charge credit monitoring and identity theft protection services, while ACL will cover the costs of ID document replacements where needed.
The ransomware gang that took responsibility for the attack on Medlab Pathology is Quantum, which uploaded all stolen files on its Tor site on June 14, 2022.
The threat actors leaked 86GB of data, including patient and employee details, financial reports, invoices, contracts, forms, subpoenas, and other private documents.
According to Quantum ransomware’s website, the data leak page for MedLab has been accessed 130,000 times.
Overly delayed disclosure
The disclosure of a cybersecurity incident nine months after it happened isn’t a rapid response, and ACL’s announcement includes a section that attempts to justify this delay.
When MedLab detected unauthorized access to its network in February 2022, the firm conducted a forensic investigation which they say didn’t reveal anything worrying.
In March 2022, ACSC contacted ACL after receiving intelligence that the incident they had suffered was a ransomware attack. In June 2022, the ACSC notified MedLab that the ransomware gang posted the stolen data to a data leak site.
So, according to the company, it took them roughly five months to even realize someone had exfiltrated files from their systems.
As for the four more months from that point until today’s disclosure, ACL says the data set was too complicated to quickly determine what customers were affected.
“Given the highly complex and unstructured nature of the data set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” explains ACL.
Sydney-based reporter Jeremy Kirk tweeted that sources examining the leaked data confirmed it was unstructured but not to the point of taking months to analyze.
While hackers are likely not specifically targeting organizations in the country, the Australian government is proposing new data protection laws to provide greater insight into data breaches and to impose more significant fines on companies not adequately protecting data.