Australian Medical Privacy Breach, 28 October 2022

Australian Clinical Labs subsidiary Medlab Pathology, accused of ‘sitting on’ hack that saw patient data posted to the dark web

ACL says it first learned of the attack in February but believed no data was stolen

Company Statement: Medlab Pathology Cyber Incident Response and Support
Source: Australian Clinical Labs accused of ‘sitting on’ hack that saw patient data posted to the dark web | ABC News Australia

View more from Privacy Breaches and the incidents relating to the Medical and Health Care sector.

Australian Clinical Labs (ACL) yesterday revealed it was hit by a cyber attack eight months ago, in February, and that since then it had found out the data of 223,000 people had been accessed and some of it posted to the dark web.

Pathology company ACL says it first learned of the attack in February but believed no data was stolen. The company says it told the relevant authorities about the data hack in July, after learning details were on the dark web. However, it only told customers that their data had been hacked and some of it posted to the dark web this week

ACL said the breach affected its subsidiary, Medlab, and that the most-concerning breaches included the leaking of medical and health records, credit card numbers and Medicare numbers.

Under the Privacy Act, companies with a turnover of more than $3 million — and, specifically, healthcare companies including pathology labs — need to tell the Office of the Australian Information Commissioner (OAIC) about a data breach that is “likely to cause serious harm”.

The OAIC confirmed to ABC News that ACL’s subsidiary Medlab fits that definition, and the company’s website also notes that it is required to comply with the Privacy Act.

ACL confirmed to ABC News that it had notified the OAIC of the data breach in early July. That is, shortly after it was told data was on the dark web.