Update Incident: Australian Clinical Labs accused of ‘sitting on’ hack that saw patient data posted to the dark web | ABC News Australia
Australian Medical Privacy Breach, 28 October 2022
Australian Clinical Labs subsidiary Medlab Pathology, accused of ‘sitting on’ hack that saw patient data posted to the dark web
ACL says it first learned of the attack in February but believed no data was stolen
Company Statement: Medlab Pathology Cyber Incident Response and Support
Source: Australian Clinical Labs accused of ‘sitting on’ hack that saw patient data posted to the dark web | ABC News Australia
View more from Privacy Breaches and the incidents relating to the Medical and Health Care sector.
Update 03/11/23: Australian Clinical Labs to face court over 2022 data breach | cyberdaily.au
The Office of the Australian Information Commissioner believes Australian Clinical Labs did not adequately protect personal data, leading to an increased risk of “identity theft, extortion and financial crime”.
Australian Clinical Labs (ACL) yesterday revealed it was hit by a cyber attack eight months ago, in February, and that since then it had found out the data of 223,000 people had been accessed and some of it posted to the dark web.
Pathology company ACL says it first learned of the attack in February but believed no data was stolen. The company says it told the relevant authorities about the data hack in July, after learning details were on the dark web. However, it only told customers that their data had been hacked and some of it posted to the dark web this week
ACL said the breach affected its subsidiary, Medlab, and that the most-concerning breaches included the leaking of medical and health records, credit card numbers and Medicare numbers.
Under the Privacy Act, companies with a turnover of more than $3 million — and, specifically, healthcare companies including pathology labs — need to tell the Office of the Australian Information Commissioner (OAIC) about a data breach that is “likely to cause serious harm”.
The OAIC confirmed to ABC News that ACL’s subsidiary Medlab fits that definition, and the company’s website also notes that it is required to comply with the Privacy Act.
ACL confirmed to ABC News that it had notified the OAIC of the data breach in early July. That is, shortly after it was told data was on the dark web.
