Pathology company Australian Clinical Labs reveals it was hit by cyber attack eight months ago

Pathology company Australian Clinical Labs has revealed it was hit by a cyber attack eight months ago, with the data of 223,000 people accessed and some of it posted to the dark web.

The company revealed the situation in a lengthy statement to the ASX this morning, just one day after the full extent of the hacking crisis at Medibank was unearthed.

ACL said the breach affected its subsidiary Medlab, and the data of about 223,000 people, including staff and patients, was accessed.

It said the most concerning breaches included:

  • 17,539 individual medical and health records associated with a pathology test
  • 28,286 credit card numbers and individuals’ names. Of these records, 15,724 have expired and 3,375 had a CVV code attached 
  • 128,608 Medicare numbers (not copies of cards) and an individual’s name attached

“To date, there is no evidence of misuse of any of the information or any demand made of Medlab or ACL,” the company said in its ASX statement.

ACL said it would start contacting impacted people today, and Medlab customers should monitor their email and postal mail in the coming weeks.

It has also set up a crisis hotline for people to call once they confirm they were impacted. The number is 1800 433 980.

Medlab Pathology is a business operating in NSW and Queensland that was acquired by ACL in late 2021.

It said the Office of the Australian Information Commissioner (OAIC) has been notified but did not specify when.

The OAIC has been contacted for comment.

How long has ACL known about this?

The publicly listed company said it first learned of the attack in February but believed no data was stolen.

“ACL immediately coordinated a forensic investigation led by independent external cyber experts into the Medlab incident,” it said.

“At the time, the external forensic specialists did not find any evidence that information had been compromised.”

It said it was then contacted by The Australian Cyber Security Centre (ACSC) in March and was told the authority had received intelligence that Medlab might have been the victim of a ransomware incident.

Source link