Australian Clinical Labs (ACL) disclosed on October 27, 2022, a data breach in its Medlab Pathology division. The attack took place in February 2022 end resulted in exposing the personal data of 223,000 people.
The Australian healthcare company has 89 medical laboratories which do six million tests each year for 92 private and public hospitals in Australia.
Details about the Attack
According to Australian Clinical Labs (ACL) statement, the leaked data include:
- 128,608 Medicare numbers and full names
- 28,286 credit card numbers, 12% of which have a CVV code, and 55% are expired
- 17,539 individual medical and health records associated with pathology tests
All impacted patients have been announced about the data breach and will be offered free credit monitoring and identity theft protection services, and ID document replacements if needed.
ACL notified Australian authorities: Australia’s Cyber Security Center (ACSC), and the Office of the Information Commissioner (OAIC). While ACSC was the one who alerted the Labs that stolen data is now on the dark web, the company says that for the moment there is no sign of malicious use of the information.
Quantum ransomware gang took responsibility for the attack posting all stolen files on its Tor site on June 14, 2022. The 86GB of data leaked contains patient and employee details, financial reports, invoices, contracts, forms, and subpoenas. The data leak page for MedLab on the Quantum ransomware’s website has been accessed 130,000 times.
A Nine Months Long Timeline
From the moment of the ransomware attack to yesterday’s notification nine months have passed, and Australian Clinical Labs (ACL) tries to motivate its delay by explaining the timeline.
ACL first detected the incident in February 2022, but the forensics did not reveal anything wrong. In March 2022, ACSC contacted them after finding out about the attack, and only in June 2022 ACSC warned about the data leak. So, five months have passed from the day of the attack until the data exfiltration was discovered.
Another four months went by from June 2022 to October 2022 until Australian Clinical Labs publicly disclosed the breach, claiming that “the data set was too complicated to quickly determine what customers were affected”, according to BleepingComputer.
It was not the first attack on Australian businesses, over the last two months we have seen cybercriminals targeting Optus, Medibank, MyDeal, and Vinomofo. This made the Australian government suggest a new data protection set of laws with more insight into cyberattacks and greater fines for companies not protecting their data.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.