St Vincent’s Hospital in Sydney.

St Vincent’s Hospital in Sydney.Credit:Peter Rae

A Home Affairs spokesperson on Friday said its Cyber and Infrastructure Security Centre “may choose to undertake regulatory investigations into this incident” once initial investigations were completed.

“Critical infrastructure entities with the Risk Management Program requirements are required to have a Risk Management Program in place already,including covering cyber risks,” the spokesperson said.

The discovery of the breach of the network’s defences came just one month after the federal government’sown long-awaited cybersecurity strategywarned the health care sector’s cyber defence systems werealarmingly unsophisticated.

“Our hospitals and general practitioners hold some of the most sensitive data about Australians and their families. However,the health sector also has one of the lowest cyber maturities across industry,” the report read.

A newly releasedstudy from global cybersecurity firm Proofpoint this month also found that over a third of Australia’s top-ranked private and public hospitals were failing on basic cybersecurity measures.

Several major public hospitals arelisted as critical infrastructure under federal legislation- alongside other services designated essential for everyday life,such as energy,food,water,transport and communications companies.

A spokesperson for the hospital said it had a risk management plan in place as required by the regulator.

Advertisement

Two sources with knowledge of the investigation,who were not authorised to speak publicly,said between one to two gigabytes of data was stolen.

On Friday,the hospital network briefed its 30,000 staff and issued a public statement saying it had not detected any evidence that personal information was among the trove of copied data.

“Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity,” the statement read.

“Should we discover that any sensitive data has been stolen by cyber criminals,we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.”

The federal government,which is working with St Vincent’s and cybersecurity consultants CyberCX on the investigation,also confirmed it was yet to receive any “notifications” that personal data had been stolen.

Loading

“With cyber incidents like these across a large network of many different systems,it often takes some time to confidently ascertain how the incident occurred,what the threat actor did,what systems they accessed and what was taken,” said acting national cybersecurity coordinator,Hamish Hansford.

Cyber Security Cooperative Research Centre chief executive Rachael Falk said that hospitals are custodians of “extremely sensitive data” and it was incumbent upon them to keep up with the latest standards set by the regulator.

“It’s another sobering reminder that we end 2023 with yet another data breach,” she said. “In particular,hospitals need to be on notice,and they need to[ask]:‘have we got our cybersecurity settings right? Are we doing everything necessary to protect valuable patient data?’”

The federal opposition has seized on the government for a perceived lack of transparency and urgency over the data breach,whichthis masthead first revealed on December 22.

On Friday,shadow minister for health Senator Anne Ruston and shadow minister for home affairs James Paterson issued a joint statement stating it was “baffling” that neither Health Minister Mark Butler nor Home Affairs Minister Clare O’Neil had commented on the matter,leaving it to acting ministers to make public statements on the hack.

Loading

”Australians are rightly concerned about their privacy,especially with regard to personal health records,” they said. “The Albanese government must demonstrate to the Australian public that they are taking this matter seriously by being transparent about what they know and what they are doing.”

Butler and O’Neil are on leave.

The health provider said that it first “began responding to a cybersecurity incident” on December 19,but it was not until December 21 that St Vincent’s found that data had been removed from its network,according to the statement.

No cyber criminal activity has been detected on the network since December 20,a spokesperson said.

St Vincent’s operates hospitals across NSW,Victoria and Queensland,including three public and 10 private hospitals and 26 aged care facilities.

The health provider has stressed the hack has not affected its ability to run its hospitals or aged care facilities.

The attack is the latest data breach to hit a major Australian company,withOptus andMedibank suffering cyber incidents in late 2022,while major ports operator DP World Australiashut down its terminals last month after a major cybersecurity attack.

St Vincent’s has set up a dedicated support line for affected patients on 1300 124 507,as well as a dedicated email address stvincentscybersafety@svha.org.au

Cut through the noise of federal politics with news,views and expert analysis.Subscribers can sign up to our weekly Inside Politics newsletter.

License this article

Most Viewed in National

Loading