It Really Is Not Good Enough To Take 5+ Months To Notify Patients Of A Data Leak

This appeared last week:

Data on dark web months before pathology business told customers

Updated October 27, 2022 — 6.06pm

Medical testing company Medlab Pathology and its parent, Australian Clinical Labs, took five months after a government warning that customers’ data was on the dark web to tell 223,000 people their personal information had been exposed.

The exposed data includes 17,539 test records; almost 30,000 credit card details, though some are expired; some driver’s licence and passport information; and Medicare card information of 128,000 people.

Optus and Medibank were both pilloried for their communications after their respective cybersecurity breaches, however, both issued repeated updates to customers as soon as they became aware of the intrusion. In contrast, Medlab first detected signs of the hack in February but waited until October to publicly disclose it.

Australia’s corporate and privacy watchdogs, which enforce rules that require prompt disclosure of hacks, are both reviewing the episode. Cybersecurity policy expert Rachael Falk said Medlab should have gone public faster.

“My view is as soon as you know you have a breach and you fall under the Privacy Act, even if you’re not sure, disclose, disclose, disclose,” said Falk, chief executive of the Cyber Security Co-operative Research Centre.

“Disclosure and transparency is always the best option.”

While the breach was detected in February, security contractors hired by Medlab found no evidence the hackers had compromised customer data. The company relied on that advice to dismiss government questions in March about whether it had been hit by a potential ransomware attack.

In June, the Australian Cyber Security Centre found Medlab customer data on the dark web but the company did not inform its customers because it was analysing the “complex and unstructured” data to determine what information had been taken from which customers. It started to contact customers on Thursday.

Medlab’s ASX-listed parent Australian Clinical Labs defended its disclosure on Thursday.

“Given the highly complex and unstructured nature of the data-set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” it said in a statement. Its shares slumped over 12 per cent on the news but made up some ground to close 5.4 per cent weaker at $3.35.

Australian Clinical Labs said it believed the best way of minimise harm to patients whose data was stolen was to contact them directly with tailored notifications.

The Office of the Australian Information Commissioner, which enforces privacy laws, was told of the breach on July 10, and is making preliminary inquiries about Medlab’s compliance with laws that force firms to report data breaches promptly.

“Under the notifiable data breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the [commissioner’s office] as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” a spokesman said.

The information commission has previously said it “does not consider that tailoring notifications justifies delay in notifying affected individuals”. The watchdog’s commissioner, Angelene Falk, emphasised earlier this year that any delays in telling hack victims can make it harder for them to protect themselves.

More here:

https://www.smh.com.au/technology/medical-lab-took-five-months-to-disclose-data-breach-20221027-p5btfu.html

There is also coverage of he matter here:

Pathology lab, ACL, criticised for five-month delay in reporting patient data hack

A cyberterror expert has questioned why a pathology giant waited five months to inform patients of a data breach that saw credit card and health records leaked.

Jessica Wang

October 28, 2022 - 10:44AM

One of Australia’s largest pathology labs, Australian Clinical Labs (ACL) has been criticised for waiting five months to inform patients their data had been stolen and leaked onto the dark web.

On Thursday, ACL - which has an annual revenue of almost $1 billion - made a ASX announcement which declared that Medlab Pathology had been subject to a notifiable cyber incident dating back to February 2022.

As a result, the personal information of around 223,000 patients and staff had been accessed. The majority of those affected are from NSW and Queensland.

This included the individual medical and health records (associated with a pathology test) of 17,539 individuals, 28,286 credit card numbers and individuals’ names (including around 3375 CVV codes) and 128,608 Medicare numbers which were attached to a name.

‘Most peculiar’ ACL’s delay questioned

In ACL’s statement shared with the ASX, the company said it “immediately co-ordinated a forensic investigation led by independent external cyber experts” upon realising the unauthorised third-party access.

While the initial search didn’t show that data had been compromised, the company was alerted by the Australian Cyber Security Centre (ACSC) in March that Medlab may have been involved in a ransomware incident. A subsequent request for information confirmed ACL’s original beliefs that no data had been compromised.

Three months later the ACSC escalated concern the compromised data had been shared on the dark web.

Despite knowledge of the compromised data dating back to June, a Professor in CyberCrime Cyberwar and Cyberterror at the University of New South Wales, Professor Richard Buckland told ABC News it was “most peculiar” the leak wasn’t reported closer to the discovery that it had been published onto the dark web.

More here:

https://www.news.com.au/technology/online/hacking/pathology-lab-acl-criticised-for-fivemonth-delay-in-reporting-patient-data-hack/news-story/243cccc2109a1fcc33d795b83d200844

It really is not good enough for a company to know patient data is out on the dark web for a month or two and not have told their clients so they could take sensible steps to protect themselves against ID theft and fraud.

For an ASX listed company with turnover close to $A 1Billion it is really pathetic!

Sadly I hold a few shares in ACL and I am not at all pleased as the damage done to the share=price!!

It seem to me that we need a law change or two, to provide companies with a much tighter sense of urgency regarding disclosure - especially to those affected!

David.

p.s. I read today in the SMH that the Privacy Commissioner does not have the power to force leak disclosure but that the AG intends that to change!

D.