Pathology company Australian Clinical Labs has revealed it was hit by a cyber attack eight months ago, with the data of 223,000 people accessed and some of it posted to the dark web.
The company revealed the situation in a lengthy statement to the ASX this morning, just one day after the full extent of the hacking crisis at Medibank was unearthed.
ACL said the breach affected its subsidiary Medlab, and the data of about 223,000 people, including staff and patients, was accessed.
It said the most concerning breaches included:
- 17,539 individual medical and health records associated with a pathology test
- 28,286 credit card numbers and individuals' names. Of these records, 15,724 have expired and 3,375 had a CVV code attached
- 128,608 Medicare numbers (not copies of cards) and an individual's name attached
"To date, there is no evidence of misuse of any of the information or any demand made of Medlab or ACL," the company said in its ASX statement.
ACL said it would start contacting impacted people on Thursday, and Medlab customers should monitor their email and postal mail in the coming weeks.
It has also set up a crisis hotline for people to call once they confirm they were impacted. The number is 1800 433 980.
Medlab Pathology is a business operating in NSW and Queensland that was acquired by ACL in late 2021.
It said the Office of the Australian Information Commissioner (OAIC) has been notified but did not specify when.
How long has ACL known about this?
The publicly listed company said it first learned of the attack in February but believed no data was stolen.
"ACL immediately coordinated a forensic investigation led by independent external cyber experts into the Medlab incident," it said.
"At the time, the external forensic specialists did not find any evidence that information had been compromised."
It said it was then contacted by The Australian Cyber Security Centre (ACSC) in March and was told the authority had received intelligence that Medlab might have been the victim of a ransomware incident.
"The company responded to the request for information and confirmed that to its knowledge the company did not believe that any data had been compromised," ACL said in its statement.
ACL said it was then contacted again by the ACSC in June and was told that some Medlab data was on the dark web.
It said it had since been analysing the data downloaded from this hidden section of the internet to figure out who it belonged to so it could tell them.
"This highly-detailed and lengthy process took a large team of external data-analysis experts several months to complete, and was necessary to ensure that we did not cause undue alarm and concern for Medlab customers," the company said in a statement.
"This is why we haven't been able to notify involved individuals until now."
The ACSC was contacted for comment.
"We are conscious that there is a lot of public concern at present about recent data breach events," ACL said.
"We remind all of our community, including those not impacted by this event, to be on alert for telephone and online scams such as phishing emails and communications from unknown senders."
ACL declined an interview but in a statement chief executive Melinda McGrath apologised "on behalf of Medlab".
"On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred," she said.
"We recognise the concern and inconvenience this incident may cause those who have used Medlab's services and have taken steps to identify individuals affected.
"We are in the process of providing tailored notifications to the individuals involved.
"We want to assure all individuals involved that ACL is committed to providing every reasonable support to them. We will continue to work with the relevant authorities."