A December cyber attack at St Vincent’s Health Australia has left patients in the dark on whether their sensitive health data has been compromised.

St Vincent’s – Australia’s largest not-for-profit hospital – first began responding to a cyber security incident on 19 December 2023.

In a statement issued three days later, the organisation revealed it found evidence that cyber criminals removed “some data” from its network.

“St Vincent’s is working to determine what data has been removed,” said St Vincent’s Health Australia.

“The investigation into this matter is ongoing.”

While St Vincent’s reports the “activities of the cyber criminals” have not impacted its ability to deliver its services across its hospital, aged care and virtual and home health networks, the hospital has offered little information on the data theft itself.

The company’s initial statement did not reveal precisely what data may have been impacted, and while an update was given one week later, St Vincent’s was still unable to publicly confirm whether patient data had been stolen during the attack.

Patients are still waiting to hear whether their data has been impacted, and what kind of information may have been leaked.

In late December, St Vincent’s said it was still working to determine what data has been removed, but expected it could “take some time” given the “complex and highly technical” nature of its investigations.

“Should we discover that any sensitive information has been stolen by cyber criminals, we will do all that we can to contact the impacted persons to inform them of this, give them information about the steps that they can take to protect themselves and support them through that process,” it said.

St Vincent’s told Information Age on Monday that it could not offer any updates on the data theft or identity of those behind the incident.

Fine

According to The Age, the hospital could face a fine over the hack if Home Affairs finds it failed to meet international cyber safety standards.

A Home Affairs spokesperson said Home Affairs’ Cyber and Infrastructure Security Centre may choose to “undertake regulatory investigations”, and further noted that “critical infrastructure entities with the Risk Management Program requirements are required to have a Risk Management Program in place already, including covering cyber risks.”

The company could be subject to such requirements, given its Melbourne and Sydney hospitals qualify as critical infrastructure, however a spokesperson for St Vincent’s has reportedly confirmed a risk management plan was in place as required.

Meanwhile, Home Affairs Minister Clare O’Neil – who has fronted the public for past attacks at Medibank and Optus – has faced online criticism for her lasting silence on the St Vincent’s attack.

“Has Clare O'Neil fronted the Australian public about the medical information/data stolen from St. Vincent's hospital?” wrote user ReeDiamond2 on social media platform X.

“It’s been TEN DAYS!! Claire O’Neil… what is going on?”

Shadow Minister for Home Affairs James Paterson echoed these criticisms in late December, stating “hundreds of thousands, if not millions of Australians” didn’t know whether their private health information had been “stolen by a criminal gang”.

“It's about time that the government fronted up and explained what they know, when they knew it, and what they're doing about it to get to the bottom of this and find out whether Australians’ data has been stolen, how much of it has been stolen, and who has taken it,” said Paterson.

Meanwhile, The Australian Financial Review reports the hackers succeeded in their attack using compromised accounts not yet discovered on the dark web – a claim which has reportedly been confirmed with a source “close to the investigation” into St Vincent’s hack.

The hospital says its teams have “worked tirelessly” to implement enhanced monitoring on its network and systems, deploy investigatory tools and review its system logs.

Furthermore, the company says it has notified all relevant state and federal governments, and has further engaged external security experts CyberCX, which recently assisted one of Australia’s largest energy suppliers, Energy One, with a cyber attack of its own.

No cyber criminal activity has been detected on St Vincent’s networks since 20 December.