Two sources with knowledge of the investigation,who were not authorised to speak publicly,said between one to two gigabytes of data was stolen.
On Friday,the hospital network briefed its 30,000 staff and issued a public statement saying it had not detected any evidence that personal information was among the trove of copied data.
“Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity,” the statement read.
“Should we discover that any sensitive data has been stolen by cyber criminals,we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.”
The federal government,which is working with St Vincent’s and cybersecurity consultants CyberCX on the investigation,also confirmed it was yet to receive any “notifications” that personal data had been stolen.
Loading
“With cyber incidents like these across a large network of many different systems,it often takes some time to confidently ascertain how the incident occurred,what the threat actor did,what systems they accessed and what was taken,” said acting national cybersecurity coordinator,Hamish Hansford.
Cyber Security Cooperative Research Centre chief executive Rachael Falk said that hospitals are custodians of “extremely sensitive data” and it was incumbent upon them to keep up with the latest standards set by the regulator.
“It’s another sobering reminder that we end 2023 with yet another data breach,” she said. “In particular,hospitals need to be on notice,and they need to[ask]:‘have we got our cybersecurity settings right? Are we doing everything necessary to protect valuable patient data?’”
The federal opposition has seized on the government for a perceived lack of transparency and urgency over the data breach,whichthis masthead first revealed on December 22.
On Friday,shadow minister for health Senator Anne Ruston and shadow minister for home affairs James Paterson issued a joint statement stating it was “baffling” that neither Health Minister Mark Butler nor Home Affairs Minister Clare O’Neil had commented on the matter,leaving it to acting ministers to make public statements on the hack.
Loading
”Australians are rightly concerned about their privacy,especially with regard to personal health records,” they said. “The Albanese government must demonstrate to the Australian public that they are taking this matter seriously by being transparent about what they know and what they are doing.”
Butler and O’Neil are on leave.
The health provider said that it first “began responding to a cybersecurity incident” on December 19,but it was not until December 21 that St Vincent’s found that data had been removed from its network,according to the statement.
No cyber criminal activity has been detected on the network since December 20,a spokesperson said.
St Vincent’s operates hospitals across NSW,Victoria and Queensland,including three public and 10 private hospitals and 26 aged care facilities.
The health provider has stressed the hack has not affected its ability to run its hospitals or aged care facilities.
The attack is the latest data breach to hit a major Australian company,withOptus andMedibank suffering cyber incidents in late 2022,while major ports operator DP World Australiashut down its terminals last month after a major cybersecurity attack.
St Vincent’s has set up a dedicated support line for affected patients on 1300 124 507,as well as a dedicated email address stvincentscybersafety@svha.org.au