Around 223,000 patients and staff have been affected by a cyberattack on Medlab Pathology in February.

This is based on findings from a forensic investigation launched by ASX-listed private pathology services provider Australian Clinical Labs (ACL), which acquired the pathology laboratory late last year. 

The hacked data includes about 17,500 medical and health records associated with a pathology test, over 28,000 credit card numbers, and around 128,000 Medicare numbers. Affected individuals were said to be mostly confined to NSW and Queensland.

However, ACL noted that there is "no evidence of misuse" of any of the information nor is there any demand made of Medlab and ACL.

The cyber incident has also untouched the broader systems and databases owned by ACL while the compromised IT server of Medlab has been already decommissioned and is no longer in use.

ACL will now start contacting affected individuals directly "by way of individually tailored notifications as soon as practicable."

"ACL, on behalf of Medlab, will commence the process of directly contacting at risk individuals by email and postal mail today, to provide them with information about the incident, how it affects them and additional steps that can be taken to protect their information," it said in a corporate disclosure on Thursday.

In addition, the company has also set up a dedicated inbound response team to answer questions from notified individuals and provide them with guidance and remediation advice in relation to the incident. A care team has also been formed to minimise distress and provide support to those whose health records may have been accessed.

Moreover, ACL is working with federal and state government authorities to offer free credit monitoring and/or ID document replacement to individual victims.

THE LARGER CONTEXT

Some weeks after Medlab reported a hack on its IT server, the Australian Cyber Security Centre received intelligence that the pathology service may have been struck by ransomware.

Three months later, ACSC found that some Medlab information had been posted on the dark web. ACL said it immediately responded by finding and downloading the unstructured dataset from the dark web and "made efforts to permanently remove it."

The company then worked to determine the nature of the compromised information and individuals who could be at risk of serious harm due to the hack.

"Given the highly complex and unstructured nature of the data set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved," ACL explained.

THE LARGER TREND

Health insurer Medibank is the latest Australian company to fall victim to a string of cyber incidents this year. The company first reported a network breach two weeks ago. In an update this week, it said that hackers have access to the data of all its 3.9 million customers. It involves personal information such as names and some Medicare card numbers and health information, including claim codes made by customers. 

Over in New Zealand, Pinnacle Midlands Health Network also experienced a recent IT breach. It was reported that hackers have leaked patient data on the web, including those related to the use of hospital services, claiming information, and the immunisation and screening status of individual patients. Affected individuals involve past and present patients and customers of the Pinnacle group in Waikato, Lakes, Taranaki and Tairāwhiti districts, including GP practices under Primary Health Care.

ON THE RECORD

"On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred. We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected. We are in the process of providing tailored notifications to the individuals involved. We want to assure all individuals involved that ACL is committed to providing every reasonable support to them. We will continue to work with the relevant authorities," ACL CEO Melinda McGrath said in a statement.