The Royal Women’s Hospital has apologised to 192 patients on Thursday night after an investigation revealed their personal details were potentially stolen by hackers. The personal details of patients at the major Melbourne hospital we compromised after cybercriminals hacked an unsuspecting staff member’s private email.
Cybersecurity experts conducted a forensic investigation, and the majority of the impacted patients received notifications on Thursday morning.
As the investigation into the data breach continues, patients and members of the public will be eagerly awaiting further updates on the extent of the breach and the steps being taken to safeguard patient information.
A hotline number has been established for affected patients where they can connect with cyber experts for detailed advice and support as well as free counselling services.
“(We are) very sorry to advise of a recent incident where cybercriminals gained access to the private email account of a staff member,” a hospital spokesman said in a statement.
“We are taking this matter very seriously and apologise sincerely for any distress and inconvenience caused to affected patients.”
The Royal Women’s Hospital has set up a dedicated helpline for affected patients to address their concerns and provide additional information.
Monash University head of software systems & cybersecurity, faculty of Information Technology Professor Monica Whitty said, “This case demonstrates that workplaces need to develop policies and secure technology that understands and acknowledges how employees behave while accessing their organisation’s online networks,”
“Research shows that these ‘accidental insiders’– employees who accidentally expose data or create vulnerabilities in their cyber workspace – do not have bad intentions towards an organisation, and when they find security workarounds it is often because they are committed employees who want to do their jobs effectively,”
“This is primarily because often, technological security systems seem to pose delays and prevent productivity or efficiency in the workplace,”
“The pandemic opened up new ways of working, for example working from home; however, industries need to enable employees to adopt different working styles while ensuring their information systems are secure,” said Whitty.
It’s now understood the employee forwarded work emails to their private email account to review and co-ordinate their patient appointments.
In a statement, the hospital assured patients that medical records were not accessed and the hospital’s official email or IT systems were not hacked.
“The Women’s is thoroughly investigating the attack and has put in place actions to ensure that affected patients receive accurate information and adequate support,” the hospital said.
The Royal Women’s Hospital has become the latest victim of a startling surge in cybersecurity threats witnessed over recent years.
This new alarming trend in Australia has seen numerous high-profile entities, ranging from Pizza Hut to the news outlet The Guardian, fall prey to cyberattacks, including government agencies.
Just last month, the Australian Federal Police (AFP) found themselves among the casualties of a cyberattack that targeted a national law firm. The breach resulted in the theft of critical data from HWL Ebsworth, one of Australia’s largest commercial law firms, which counts the AFP as one of its clients.
A report released by Microsoft in December of the previous year, titled “Cyber Signals,” highlighted the vulnerability of vital infrastructure.
It warned that parts of the energy grid and essential services, including sewage treatment plants, were susceptible to cyberattacks, potentially endangering lives in the process.
The Royal Women’s Hospital reiterates it has not been hit by a cyberattack and the breach was sparked by a worker who sent details about the patients to their personal email account in a bid to co-ordinate appointments and treatment.
The hospitals administration has also initiated an inquiry into the cyberattack and stated the hosptial is committed to providing ongoing updates to patients.
“We are taking this matter very seriously and apologise sincerely for any distress and inconvenience caused to affected patients,” a spokesperson said.
Additionally, the hospital has confirmed medical records have not been accessed and the service’s IT systems remained secure and is also offering affected patients free counselling and help from cybersecurity experts.
