A camera shot of the side of the hospital with the words "St Vincent's Private Hospital" and a crucifix on the building.

What Has Happened?

Australia’s largest not-for-profit health and aged care provider has fallen victim to a cyberattack. This attack was discovered on the 19th of December, and it has been carried out in the same way as a 2022 data breach that crippled private health insurer Medibank. It is believed the cyberattack was carried out by a sophisticated group of cybercriminals who gained access to the organisation’s data through a compromised account.

Data Exposed

The organisation has confirmed that data has been removed from a system but is yet to determine the quantity and type of data stolen in the attack, which has left customers and potentially affected individuals in the dark. The organisation has advised, “Should we discover that any sensitive data has been stolen by cybercriminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process”.

“The investigation is highly complex. In other cybercrimes, criminals have deployed ransomware or contacted the victim organisation with copies of the data they have stolen,” an anonymous St Vincent’s spokesperson said. “This hasn’t happened yet in this incident, so the forensic efforts to trace the criminals’ work backwards takes time.”

Attack Method

Two sources from the organisation have revealed evidence collected so far pointed to stolen login credentials as the cause of the attack.

As with the St Vincent’s health network, the Medibank hack began with the theft of credentials belonging to an individual with privileged access to its internal systems. In the case of Medibank, these credentials were bought on the dark web by an anonymous buyer who then used them to gain access to the insurer’s internal systems.

Some of the stolen credentials used in the attack came from computers running Windows Home, which is usually used for personal devices – that had access to St Vincent’s work services. The malware tools identified in the attack are often inadvertently installed by someone when downloading or installing pirated content or clicking on a malicious link.

“So you have a really perfect storm where they have a personal computer infected but they are accessing work services from home with a device that isn’t as well locked down,” Mr O’Reilly said (Chief Executive of cybersecurity company Dvuln).

Support

The health network has set up a support line (1300 124 507) and email contact (stvincentscybersafety@svha.org.au) for anyone seeking more information. Further updates, information releases, and questions/answers can be found at the St Vincent’s Health Australia Website.

If you’re concerned you have become a victim of identity theft or have fallen victim to a scam, you can contact IDCARE, Australia’s national identity and cyber support service.

Sources:

The Sydney Morning Herald

Nine News

Financial Review