Pathology lab, ACL, criticised for five-month delay in reporting patient data hack

On Thursday, ACL – which has an annual revenue of almost $1 billion – made a ASX announcement which declared that Medlab Pathology had been subject to a notifiable cyber incident dating back to February 2022.

As a result, the personal information of around 223,000 patients and staff had been accessed. The majority of those affected are from NSW and Queensland.

This included the individual medical and health records (associated with a pathology test) of 17,539 individuals, 28,286 credit card numbers and individuals’ names (including around 3375 CVV codes) and 128,608 Medicare numbers which were attached to a name.

Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only >

‘Most peculiar’ ACL’s delay questioned

In ACL’s statement shared with the ASX, the company said it “immediately co-ordinated a forensic investigation led by independent external cyber experts” upon realising the unauthorised third-party access.

While the initial search didn’t show that data had been compromised, the company was alerted by the Australian Cyber Security Centre (ACSC) in March that Medlab may have been involved in a ransomware incident. A subsequent request for information confirmed ACL’s original beliefs that no data had been compromised.

Three months later the ACSC escalated concern the compromised data had been shared on the dark web.

Despite knowledge of the compromised data dating back to June, a Professor in CyberCrime Cyberwar and Cyberterror at the University of New South Wales, Professor Richard Buckland told ABC News it was “most peculiar” the leak wasn’t reported closer to the discovery that it had been published onto the dark web.

“Even when they found that [data] had been taken, it seems to have been months before they actually told the public who lost all their information, credit card details, and so on,” he said.

This meant criminals could have accessed the stolen data to commit acts like identity theft, financial scams via impersonation.

“Every piece of information about you can be combined with other pieces to increase the chance that someone can impersonate you and steal your identity,” he said.

“And, in this case, credit card numbers and CVV numbers allow them to impersonate you and carry out card numbers and transactions. That’s an immediate cost.”

In response, ACL attributed the delay to the “highly complex and unstructured nature of the dataset being investigated”.

“It has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” they said.

ACL CEO: ‘We apologise sincerely’

The pathology giant’s CEO, Melinda McGrath has also offered an apology to customers and said the company would continue to work with the relevant bodies.

“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred,” she said in the ASX statement.

“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected.

ACL has announced they will now contact all the individuals affected, with dedicated teams on hand to offer guidance, remediation and stress support.

Free credit monitoring and ID replacement will also be offered to individuals who may be at risk of credit and identity fraud.

News.com.au has approached ACL for comment, however they did not respond at the time of publishing.

Originally published as Pathology lab, ACL, criticised for five-month delay in reporting patient data hack