Crown Princess Mary Cancer Centre, one of Sydney's major cancer treatment centres, has been caught up in a cyber attack, as hackers threaten to leak stolen data if a ransom is not paid.
On Thursday, a dark web post appeared claiming to have stolen sensitive data from The Crown Princess Mary Cancer Centre – threatening to publish the organisation’s data in seven days under threat of a $100,000 ransom.
Later that afternoon, NSW Health confirmed it was aware of the threat against the Sydney-based cancer centre, which is part of Westmead Hospital, and that it had begun investigations into the purported incident and whether any patient data had been stolen.
A spokesperson for NSW Health said it did not appear NSW Health or the cancer centre's databases were impacted.
"NSW Health continues to investigate this issue which does not appear to have impacted any NSW Health databases, nor Crown Princess Mary Cancer Centre databases," the spokesperson said.
"The safety and security of all NSW Health systems remains of highest importance and is continually monitored and safeguarded.
"NSW Health works closely with state and federal Government cyber security agencies to ensure that any cyber event is prevented, detected and responded to in the most appropriate manner," they said.
The Crown Princess Mary Cancer Centre sits 26 kilometres west of Sydney and is part of the Sydney West Cancer Network.
It provides a range of diagnostic, treatment, prevention and rehabilitation programs for those coping with cancer, and is a significant body in Australian cancer research.
Medusa gang claims attack
The group behind the ominous data-theft claim is known as Medusa – one of the most prominent ransomware groups targeting Australian and New Zealand organisations in 2023.
According to Australian cyber security company CyberCX, the Medusa group has been active since at least 11 January 2023 and has listed at least 20 victims on its dedicated leak site so far, including a now-infamous attack against Minneapolis Public Schools which resulted in sensitive information about kids being leaked online.
The group reportedly utilises a criminal tactic known as 'double extortion', which involves deploying ransomware to encrypt a chosen victim's data, then exfiltrating said data and threatening to publish it, typically on the condition of a significant ransom payout.
Furthermore, the largely anonymous criminal group leaks its stolen data via both dark net and the publicly accessible internet, even utilising social media such as Twitter and Facebook to publish sensitive information.
On Medusa's leak site, the group typically offers a flippant collection of payment options to its supposed victims – in the case of Crown Princess Mary Cancer Centre, the dark web leak listing displays buttons labelled "Add time 1 day", "Delete All Data" and "Download data now!" coupled with price tags ranging from $10,000 to $100,000.
According to CyberCX, which was involved in investigation efforts following the landmark 2022 data breach at health insurer Medibank, the Medusa group poses a "high threat" to organisations in the Pacific region.
"We assess Medusa Team poses a high threat to organisations in Australia, New Zealand," said CyberCX.
"In February alone, Medusa Team was the second most frequent cyber extortion group to target organisations in the Pacific region," it added.
When last live, the dark web listing for Crown Princess Mary Cancer Centre displayed a countdown timer set to one week.
The ransom demand comes as Australia's government continues to eye a potential ban on paying ransoms – a prospective change which would be aimed at reducing the incentive for cyber attacks and deterring criminal gangs from enacting further ransom demands against Australian businesses.
Oakley Cox, Analyst Technical Director at IT company and cyber defence specialist Darktrace, suggests gangs such as Medusa might not be halted by such an initiative.
"The attack also highlights the challenge in implementing a ban on paying ransoms, as was recently mooted by the Australian Government," said Cox.
"Even if a ban were feasible and enforceable, attackers will still be motivated to use ransomware, seeking out situations in which the sensitivity of the data involved brings moral and ethical questions about whether paying the ransom is in fact the best course of action."
Cox also highlights Medusa and similar ransom gangs are in a favourable position following recurrent ransom activity – often holding an advantage over their victims in spite of potential ransom refusal.
"The Medusa criminal gang has a recent history of stealing highly sensitive and personal data in order to hold their targets to ransom," said Cox.
"For the criminal gangs involved, it creates a win-win scenario. Either they obtain a large payout in the form of hard-to-trace cryptocurrency, or they gain the notoriety and infamy associated with a high impact and widely publicised cyber attack.
"In both scenarios, the chances of being caught and held to account for their actions are small."
Medusa's reported cyber attack signals the latest in a string of security incidents impacting the Australian healthcare sector, including Medibank, at-home care service My Home Hospital, and pathology business Medlab Pathology.