St Vincent’s cyberattack work of sophisticated criminals, say investigators

An individual at St Vincent’s connected to the investigation who was not authorised to speak publicly said investigators were still working to identify what data has been pilfered.

“The investigation into the stolen data continues at pace,” they said. “The needle continues to move on the exact quantity of the data stolen. We are yet to find any personal information stolen as part of the hack, but this could very quickly change.

“The investigation is highly complex. In other cybercrimes, criminals have deployed ransomware or contacted the victim organisation with copies of the data they have stolen,” the person said. “This hasn’t happened yet in this incident, so the forensic efforts to trace the criminals’ work backwards takes time.”

The dark web is a part of the internet accessible only through special software, allowing users to remain anonymous. It is commonly used for illegal activities.

This masthead broke the news of the St Vincent’s cyber incident on December 22. Patients have since expressed worry about the security of their health information as well as frustration over a perceived lack of communication.

One patient who is receiving care at St Vincent’s Private Hospital in East Melbourne for COVID-19 complications said she was horrified that her sensitive health information might have been stolen by hackers.

Loading

“There’s been no notification to patients about this at all. It’s like they are just pretending nothing’s happened and that’s absolutely appalling,” the patient, who did not want to be identified for medical reasons, said. “I just want some understanding of what’s happening.

“If my records are revealed, I’m not sure, it might mean I have some difficulty buying travel insurance, or my premiums might go up, for example. It’s not the best Christmas present I have ever had … We’ve just been left in the dark and it’s not good enough.”

A source close to the hospital confirmed that most St Vincent’s patients had not been contacted about the cyber incident because it was unclear if any personal information had been stolen. However, aged care residents and their families have been contacted informing them about the hack.

St Vincent’s Health operates hospitals in NSW, Victoria and Queensland, including three public and 10 private hospitals and 26 aged care facilities.

Loading

“Should we discover that any sensitive data has been stolen by cybercriminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process,” a St Vincent’s spokesman said.

“To date, the activities of the cybercriminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.”

The health network has set up a support line (1300 124 507) and email contact ([email protected]) for anyone seeking more information.

St Vincent’s Health could be fined over the hack if the Department of Home Affairs finds it failed to meet international cybersafety standards, as the Melbourne and Sydney hospitals are considered critical infrastructure.

With Rachael Dexter

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.

An individual at St Vincent’s connected to the investigation who was not authorised to speak publicly said investigators were still working to identify what data has been pilfered.

“The investigation into the stolen data continues at pace,” they said. “The needle continues to move on the exact quantity of the data stolen. We are yet to find any personal information stolen as part of the hack, but this could very quickly change.

“The investigation is highly complex. In other cybercrimes, criminals have deployed ransomware or contacted the victim organisation with copies of the data they have stolen,” the person said. “This hasn’t happened yet in this incident, so the forensic efforts to trace the criminals’ work backwards takes time.”

The dark web is a part of the internet accessible only through special software, allowing users to remain anonymous. It is commonly used for illegal activities.

This masthead broke the news of the St Vincent’s cyber incident on December 22. Patients have since expressed worry about the security of their health information as well as frustration over a perceived lack of communication.

One patient who is receiving care at St Vincent’s Private Hospital in East Melbourne for COVID-19 complications said she was horrified that her sensitive health information might have been stolen by hackers.

Loading

“There’s been no notification to patients about this at all. It’s like they are just pretending nothing’s happened and that’s absolutely appalling,” the patient, who did not want to be identified for medical reasons, said. “I just want some understanding of what’s happening.

“If my records are revealed, I’m not sure, it might mean I have some difficulty buying travel insurance, or my premiums might go up, for example. It’s not the best Christmas present I have ever had … We’ve just been left in the dark and it’s not good enough.”

A source close to the hospital confirmed that most St Vincent’s patients had not been contacted about the cyber incident because it was unclear if any personal information had been stolen. However, aged care residents and their families have been contacted informing them about the hack.

St Vincent’s Health operates hospitals in NSW, Victoria and Queensland, including three public and 10 private hospitals and 26 aged care facilities.

Loading

“Should we discover that any sensitive data has been stolen by cybercriminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process,” a St Vincent’s spokesman said.

“To date, the activities of the cybercriminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.”

The health network has set up a support line (1300 124 507) and email contact ([email protected]) for anyone seeking more information.

St Vincent’s Health could be fined over the hack if the Department of Home Affairs finds it failed to meet international cybersafety standards, as the Melbourne and Sydney hospitals are considered critical infrastructure.

With Rachael Dexter

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.