One patient said he was shocked to learn his private details had been accessed by a hacker.
“You expect that when you go to somewhere like the Epworth and see their specialists that the patient information that the hospital has passed onto the specialist will remain secure,” he said.
Loading
“It’s disappointing.”
The alleged hackers initially boasted online that they had breached Epworth’s IT systems.
But an Epworth spokeswoman said the hospital had conducted a thorough investigation and there had been no such breach. She said the issue related to another health service provider that was not connected to the Epworth’s IT environment.
“The third party has been notified,” she said. “Patient care remains fully operational and safe across all Epworth hospitals.”
A Royal Melbourne Hospital spokeswoman said the health service had also conducted a thorough investigation and its systems had not been breached or compromised.
The Office of the Australian Information Commissioner has been notified of the incident.
Loading
Health services have reported the most data breaches to the commissioner since 2018. There were 121 breaches between July and December last year, up from 79 over the same period in 2022.
Health service providers now make up about 20 per cent of all breach notifications, followed by the Australian government (17 per cent) and the finance sector (9 per cent).
“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely,” a spokeswoman for the commissioner said, adding that she could not comment on specific breaches.
“This is very important for health service providers given the sensitive information they hold.”
Megan Lane, health and aged care lead for CyberCX, the country’s largest cybersecurity firm, said third-party healthcare providers represented the industry’s “soft underbelly”.
“While hospitals might seem like an obvious target, it is the thousands of GPs, specialists, and allied care providers scattered across the care economy that are targeted up to 10 times more,” Lane said.
“These businesses process incredibly sensitive personal and medical information, but are less heavily cyber-regulated, and tend to outsource technology and IT decision-making and management which often leaves them more vulnerable.”
RMIT professor Matt Warren, from the university’s Centre for Cyber Security Research & Innovation, agreed.
Loading
“Health contractors tend to be smaller organisations. They become a more attractive target for hackers who are after patient details.”
A specialist doctor, who did not want to be identified, said his practice in regional Victoria had to pay $25,000 to a hacker in 2022 after they took control of patient files and prevented medical staff from accessing them.
“It was extremely stressful,” he said. “We attempted to open the electronic patient files on a Monday morning but were shut out for four days … all the patients were coming in and we had no idea who they were.”
He said health providers went to great lengths to protect their patients’ data, but hackers still found a way to evade these protections.
In April 2024, 12.9 million Australians – about half the population – had their data stolen in an attack on electronic prescription provider MediSecure. Some 6.5 terabytes of data, including insurance numbers and names and addresses, was subsequently published on a Russian hacking forum and MediSecure then went into administration.
The year prior, the details of almost 10 million current and former Medibank customers – including birthdates and passport numbers – were stolen.
The cardiologist was contacted for comment.
