Australian Clinical Labs accused of 'sitting on' hack that saw patient data posted to the dark web

Cyber security experts are questioning why it took one of Australia’s biggest pathology services five months to tell its patients that data had been stolen and posted to the dark web.

Australian Clinical Labs (ACL) yesterday revealed it was hit by a cyber attack eight months ago, in February, and that since then it had found out the data of 223,000 people had been accessed and some of it posted to the dark web.

The company — which carries out COVID-19 testing among other services — went public to the ASX about the situation just one day after the full extent of the hacking crisis at Medibank was unearthed.

ACL said the breach affected its subsidiary, Medlab, and that the most-concerning breaches included the leaking of medical and health records, credit card numbers and Medicare numbers.

It said it had been notified by relevant authorities as early as March with concerns that it had been the victim of a ransomware incident, and that it had been told by those same relevant authorities in June that some Medlab data had appeared on the deep recesses of the internet.

“They’ve been sitting on this for a very long time,” Professor Richard Buckland from the University of New South Wales told ABC News.

“Even when they found that [data] had been taken, it seems to have been months before they actually told the public who lost all their information, credit card details, and so on. “It’s most peculiar.”

Medlab describes itself as one of Australia’s largest, privately owned independent pathology practices. Its pathology services include medical testing in New South Wales and Queensland.

As with the Medibank leak, this breach is concerning, not just because of the credit card information but also because of the deeply personal healthcare data that could now be out there publicly.

What was ACL’s obligation to disclose?

The publicly listed company with an annual revenue of almost $1 billion said it first learned of the attack in February but believed no data had been stolen.

“At the time, the external forensic specialists did not find any evidence that information had been compromised,” it said in a statement.

It said it was then contacted by the Australian Cyber Security Centre (ACSC) in March and was told the authority had received intelligence that Medlab might have been the victim of a ransomware incident.

“The company responded to the request for information and confirmed that, to its knowledge, the company did not believe that any data had been compromised,” ACL said in its statement.

ACL said it was then contacted again by the ACSC in June and was told that it believed some Medlab information was on the dark web.

Professor Buckland said the posting of the data to the dark web, which is a hidden part of the internet, would suggest that it had been posted up for sale.

This is dangerous, he said, because it could lead to identity theft or criminals impersonating people to get cash in their name or carry out crimes.

“Every piece of information about you can be combined with other pieces to increase the chance that someone can impersonate you and steal your identity,” he said.

“And, in this case, credit card numbers and CVV numbers allow them to impersonate you and carry out card numbers and transactions. That’s an immediate cost.”

He emphasised that waiting to tell customers meant those people were only now been given the opportunity to change their credit card details or other identifying information.

Professor Buckland said the point where ACL knew information was on the dark web was not the first but the third opportunity where the major company could have told its customers.

“You have a moral duty, an ethical duty as a company, especially one entrusted with medical records and looking after our health.”

In its statement on Thursday, ACL said it had been analysing the data downloaded from the dark web to figure out who it belonged to so it could tell them.

“ACL took immediate steps to find and download this highly complex and unstructured data-set from the dark web and made efforts to permanently remove it,” the company said in a statement.

“This highly detailed and lengthy process took a large team of external data-analysis experts several months to complete, and was necessary to ensure that we did not cause undue alarm and concern for Medlab customers,.

“This is why we haven’t been able to notify involved individuals until now.”

The company was contacted by ABC News about the allegation that it sat on the data breach, which it denied.

What was ACL’s legal obligation to disclose?

Under the Privacy Act, companies with a turnover of more than $3 million — and, specifically, healthcare companies including pathology labs — need to tell the Office of the Australian Information Commissioner (OAIC) about a data breach that is “likely to cause serious harm”.

The OAIC confirmed to ABC News that ACL’s subsidiary Medlab fits that definition, and the company’s website also notes that it is required to comply with the Privacy Act.

ACL confirmed to ABC News that it had notified the OAIC of the data breach in early July. That is, shortly after it was told data was on the dark web.

“The OAIC has ongoing preliminary inquiries with Medlab to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme,” the OAIC said in a statement to ABC News.

Another Australian company has been the target of a cyber attack.(Pexels: Tima Miroshnichenko)

Another cyber security expert, UNSW’s Professor Lyria Bennett Moses, told ABC News that the issue with the Privacy Act was that, as it stands, it did not specify what exactly constituted a leak that would cause “serious harm”.

“Harm from disclosure of information can often be deeply personal to both individuals and result from factors specific to those individuals, about which the organisation generally won’t know,” she said.

Professor Bennett Moses gave one example of a victim of family violence who was living at an location unknown to their abuser for safety reasons.

“The release of that person’s address is likely to result in serious harm in a way that the organisation wouldn’t necessarily conclude by itself,” Professor Bennett Moses said.

“It’s the organisation that makes the assessment about serious harm, but they’re not really in the best position to do so.”

The federal attorney-general, Mark Dreyfus, has flagged that he will seek to overhaul the Privacy Act next year, which both experts agreed was badly needed.

Professor Bennett Moses said clarifying the act’s meaning of serious harm was one area that should be addressed.

“I would almost like the framing of it reversed,” she said, adding that this would mean companies had to prove that no harm had been done to not report.

On Thursday, Mr Dreyfus also introduced a bill to parliament to amend parts of the act until the full overhaul is completed, to bump up fines for companies that do not adequately protect data or report breaches, from $2.2 million to $50 million.

“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset,” Mr Dreyfus said when introducing the bill in parliament.

The higher fines would not be retrospective, he said, so none of the recent headline-making breaches — including Optus, Medibank, or ACL — would be up for heftier fines if these major companies were found to have been non-compliant.

Professor Buckland said that, in his experience, companies often paid ransoms to criminal entities when hacked and did not disclose the breach.

“[The companies] don’t want to talk about it,” he said.

“And the payment of the ransom is, often as not, not only to protect the customers data but to protect the reputation and share price of the organisation.

“Rather than protecting and hiding the problems, it’s [better to] bring them out to the sunlight and actually do something about fixing them.”

Professor Buckland said he wanted more-serious penalties at a board and chief executive level for non-compliant companies, better protection requirements for data as well as clarity on how long data can be held, and for governments to better protect collected data too.

“I’d like to see the wording changed from saying when data has to be kept, to changing to prohibiting data from being kept, and requiring people [who] collect data to then delete it [when it’s no longer needed].”

Other cyber experts have told the ABC that steps could include giving the OAIC the power to investigate breaches of privacy law and apply fines.

To apply a penalty, the regulator must apply to the Federal Court. So far, this has occurred only once, when the OAIC launched an action against Facebook over the Cambridge Analytica scandal.

ACL declined an interview, however, in a statement, chief executive Melinda McGrath apologised yesterday “on behalf of Medlab”.

“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred,” she said.

“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected.”

ACL said it would start contacting impacted people on Thursday, and Medlab customers should monitor their email and postal mail over the coming weeks.

It has also set up a crisis hotline for people to call once they received confirmation that they had been impacted. That number is 1800 433 980.