St Vincent’s – Australia’s largest not-for-profit health and aged care provider – has confirmed it has fallen victim to a cyber-attack and hackers have stolen some of its data.
In a statement, St Vincent’s Health Australia confirmed it began responding to a cybersecurity incident on Tuesday. It discovered late on Thursday that data had been stolen.
“St Vincent’s immediately took steps to contain the incident, engaged external security experts and notified all relevant state and federal governments and the necessary agencies,” it said on Friday.
“Late on Thursday 21 December, St Vincent’s found evidence that cybercriminals had removed some data from our network. St Vincent’s is working to determine what data has been removed.”
The health provider said the investigation was ongoing and included “working to secure its systems, understand what the cybercriminals have done and identify what data may have been accessed and stolen”.
“To date, this incident has not affected the ability of St Vincent’s to deliver the services our patients, residents and the broader community rely on across our hospital, aged care, and virtual and home health networks,” it said.
“Our priority is the health and safety of our patients, residents and our people, and the continuity of St Vincent’s services for the community.”
The acting national cyber security coordinator, Hamish Hansford, said work was being done with National Office of Cyber Security, Services Australia, the Department of Health and Aged Care, and relevant state and territory agencies “to ensure a coordinated government response to this incident and to mitigate any flow-on effects”.
“The Australian Signals Directorate’s Australian Cyber Security Centre is also working closely with St Vincent’s,” the coordinator said in a statement.
“St Vincent’s has taken immediate steps to contain the incident and is prioritising the health and safety of its patients and people and the continuity of services for the community.
“I know these incidents are distressing for those affected. We are focused on assisting St Vincent’s to consider and address impacts arising from this incident.”
St Vincent’s operates two major inner-city hospitals in Melbourne and Sydney, as well as 10 private hospitals and 26 aged care facilities. It employs about 30,000 people.
It is not the first major company to be hit by a cyber attack in recent years, with both Medibank and Optus also falling victim.