St Vincent’s unable to confirm if medical records stolen

The Australian, 25 December 2023

One of Australia’s largest health networks that was the target of a cyber security breach has no idea whether hackers stole private medical data almost a week after the attack.

St Vincent’s hospital on Monday confirmed it did not know whether sensitive health records had been taken, sparking concern the organisation had failed in its duty to protect sensitive patient information.

The Australian understands all the data stolen in the attack happened last Tuesday. It took another day for the health provider to brief Home Affairs Minister Clare O’Neil and the incident was not publicly announced until Friday. Anthony Albanese had not received a briefing on the incident when he conducted a press conference in Cairns on Friday.

Government sources say they believed a “relatively small amount” of data was stolen.

Peak medical bodies, unions and the opposition blasted the organisation amid concern it had failed to protect private information which could undermine Australians’ confidence in the hospital system more broadly.

St Vincent’s, operator of 10 hospitals and 26 aged-care facilities in NSW, Queensland and Victoria, on Friday revealed it had been the subject of a major health breach it had first detected and begun responding to on Tuesday.

A spokesman on Friday said it was still working to determine what data had been removed but by Monday no further information had been gathered.

“St Vincent’s continues to investigate the cyber crime and will update as that work develops, as we did on Friday,” the spokesman said. “The investigation and monitoring efforts are continuing around the clock. Should we identify any personal data that was stolen we will do everything to directly contact anyone personally impacted by this attack on us by cyber criminals.”

Health Services Union national secretary Gerard Hayes said the group’s failure to ascertain what data had been stolen was a “major concern” and that the attack must be a “wake-up call” for medical institutions and governments.

“That is a major concern. I have been a big supporter of electronic records but the utmost levels of ­security must go into that. I am mindful people have a range of extremely sensitive conditions and privacy must be of the utmost concern,” Mr Hayes said.

“We have seen from the Optus and Medibank hacks that everyone must be doing everything they can to give confidence to people that things are being done to protect their data. If health and hospitals can be hacked then this is a wake-up call not only for those institutions but governments too to prevent it.”

The chief executive of patient advocacy group Australian Patients Association, David Clark, criticised St Vincent’s amid concern it should have some idea on whether private data had been stolen given almost week had passed.

“It is a concern for us in itself a week later they still have no idea what happened and have no idea how much data was taken,” Mr Clark said. “It’s not clear the impact this has on patients; we don’t know if information was taken but we do know when hackers get hold of sensitive information they often sell it and make it available more widely.”

Opposition health and aged care spokeswoman Anne Ruston called on Labor to urgently update Australians on the security of their health data and reveal when it first knew about the attack.

“It is outrageous that we have not had an update from the Prime Minister, Health Minister or Home Affairs Minister regarding the security of Australian health data” she told The Australian.

“The opposition calls on the government to publicly confirm that they are assisting St Vincent’s and demands swift and comprehensive action to prevent further breaches.”

Australian Medical Association president Steve Robson said the hack underscored the need for hospitals to be “great custodians of patient data”.