Some 223,000 people have been caught up in a major Australian data breach impacting medical records, credit card numbers, and a large batch of Medicare numbers.

To make matters worse, customers were left unaware of the incident for approximately eight months.

In a statement released on 27 October, pathology services provider Australian Clinical Labs (ACL) said Medlab Pathology, a pathology business it acquired in December 2021, experienced a notifiable cyber incident involving its patients and staff data.

The attack is particularly sensitive due to the type of data reportedly exposed – such as medical and health records.

According to ACL, a summary of the records breached “of most concern” are:

● 17,539 individual medical and health records associated with a pathology test;

● 28,286 credit card numbers and individuals’ names. Of these records, ~15,724 have expired and ~3,375 have a CVV code; and

● 128,608 Medicare numbers (not copies of cards) and an individual’s name.

ACL reports there is no evidence to date of "misuse of any of the information or any demand made of Medlab or ACL”.

The company also says it has now decommissioned the compromised Medlab server, and its broader systems and databases are not affected by the incident.

Following Medibanks' landmark data breach, the attack against Medlab marks the second time in under three weeks that an Australian company has reported a cyber incident impacting medical records.

When commenting on the recent Medibank attack, the Shadow Minister for Cyber Security, James Paterson, said, “in a cyber attack, time is of the essence.

“Early engagement by the government allows the facts to be established, data theft to potentially be disrupted, and gives customers time to take any necessary steps to mitigate the consequences of the breach.

"Every day lost worsens the damage done," he added.

In the case of Medlab, however, the breach was initially discovered back in February, but has only been made public as of last week.

A timeline of the breach

ACL says Medlab originally became aware of an unauthorised third-party access to its IT systems back in February 2022.

"ACL immediately coordinated a forensic investigation led by independent external cyber experts into the Medlab incident.

“At the time, the external forensic specialists did not find any evidence that information had been compromised," ACL said.

ACL was then contacted in March by the Australian Cyber Security Centre (ACSC) saying it had "received intelligence" of Medlab having been the victim of a ransomware incident.

The company responded to the ACSC and confirmed that to its knowledge, it did not believe any data had been compromised.

In June, however, the ACSC reached out again, informing ACL that it believed Medlab information had been posted on the dark web.
"ACL took immediate steps to find and download this highly complex and unstructured data-set from the dark web and made efforts to permanently remove it," said ACL.

From then, ACL began work to determine the nature of the information involved, as well as any individuals who could be at "risk of serious harm" as a result of the incident.

Why wait until now?

ACL says the process of determining the information published on the dark web, and who it belonged to, took several months to complete.

"The information published on the dark web needed to be downloaded and then thoroughly analysed," said ACL.

"This process took several months to complete, including locating current contact details for involved individuals.

"This is why we haven’t been able to notify involved individuals until now."

Based on statements provided by ACL, it appears the company began its analysis of the data after receiving a second contact from the ACSC.

The company has now commenced the process of contacting at-risk individuals via email and postal mail, stating it will provide "information about the incident, how it affects them and additional steps that can be taken to protect their information."

ACL Chief Executive Officer Melinda McGrath said, “on behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred. We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected."

What should customers do?

The company suggests previous customers should monitor their email and postal mail for a notification from Medlab over the coming weeks.

The notifications will reportedly include tailored information sheets with a precise explanation of the customer information involved, as well as additional steps that can be taken to protect against the misuse of said information.

Medlab says it has taken "a number of proactive steps" with relevant authorities to protect the information of involved individuals where possible.