Information Commissioner announces investigation into Medlab over data breach
December 5, 2022 |
On 27 October 2022 Medlab pathology announced that it had experienced a cyber attack in February 2022. The timing is interesting given the Optus Data notified customers in September about the breach and in October further notifications and advice was provided. Coincidence. It is very curious.
In its statement Medlab doesn’t say when the breach was first detected however confirms that the ACSC contacted Medlab in June when it detected data that had been published on the dark web. Its explanation as to why it did not notify customers until 27 October is general and convoluted to the point of disingenuous. It says that it took several months to download and analyse “what information was and who it belonged ot.” That is far from best practice and would attract the ire of regulators in England and the European Union. Medlab’s statement is not good. It begs many more questions than it answers. Perhaps it is the best that could be done given the way Medlab handled the breach.
Subsequent to the October announcement there were reports stating that the cyber attack affected 223,000 Australians and:
- 17,539 individual medical and health records associated with a pathology test;
- 28,286 credit card numbers and individuals’ names. Of these records, ~15,724 have expired and ~3,375 have a CVV code; and
- 128,608 Medicare numbers (not copies of cards) and an individual’s name.
The Office of the Information Commissioner undertook preliminary enquiries which is entirely understandable given the size of the breach, the apparent delay in notification and the sensitivity of the personal information lost. Those enquiries have led to today’s announcement that it would open a formal investigation. That is hardly surprising.
Under the legislation an affected organisation has 30 days to notify the Commissioner and clients if there has been a notifiable data breach. It is critically important to respond efficiently to the data breach. That means having a plan that can be put in place before suffering a data breach. Trying to understand the law as well as undertake remediation efforts as well as continue to run the business at the time of the data breach is a recipe for poorly thought through actions, missteps and poor outcomes possibly ending up with the regulator investigating.
This may be a very influential investigation in setting parameters as to what reasonable steps are taken to investigate the data breach and notification to customers. A complicating factor is the likelihood that the data breach notification regime will be overhauled. It may still be an influential investigation if the Commissioner sets down principles if there is a determination or the court may provide judicial guidance on what reasonable steps constitute to protect data.
The Medlab statement relevantly provides:
In February 2022 Medlab Pathology (Medlab) experienced a cyber incident, where some personal information of its patients and staff was involved.
We are not aware that any information involved in the incident has been misused but on Thursday 27 October we will commence the process of directly notifying involved individuals of the incident and the types of personal information of theirs involved.
These direct notifications will be sent via email and/or postal mail and will include an overview of the actions that we have taken to protect the information and privacy of those involved and advise them of what additional steps they can take.
The incident has been reported to the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) and relevant Government departments.
To provide involved individuals with additional support and advice, we have established an inbound support team to answer any questions they may have in relation to this notification.
We recognise the concern and inconvenience this cyber incident may cause involved individuals and sincerely apologise that it has occurred.
What happened?
In February 2022, Medlab experienced a cyber incident where an unidentified third-party gained unauthorised access to the Medlab I.T. environment.
Upon discovery of the incident, we took immediate action to deactivate any potentially-involved systems. We engaged leading external cyber security and forensic I.T. experts to assist us in responding, which included applying enhanced cyber security measures, and conducting a forensic I.T. investigation into what happened.
The forensic I.T. investigation, conducted by external experts at the time, did not reveal any evidence that information stored in our systems had been accessed or downloaded during the incident.
In June 2022, Medlab was contacted by the ACSC which had detected the publication of some Medlab data on the dark web (the dark web is a hidden part of the internet, not searchable via mainstream search engines such as Google, and requires specialised software to access).
Medlab then took steps to download this dataset from the dark web, and spent several months to analyse the data so it could determine what information was included in the dataset and who it belonged to.
This highly-detailed and lengthy process took a large team of external data-analysis experts several months to complete, and was necessary to ensure that we did not cause undue alarm and concern for Medlab customers.
Why has it taken time to notify individuals involved?
The information published on the dark-web needed to be downloaded and then thoroughly analysed to determine what the information was, and who it belonged to. This process took several months to complete, including locating current contact details for involved individuals. This is why we haven’t been able to notify involved individuals until now.
We have remained mindful to be as thorough and accurate as possible so that we did not incorrectly notify anyone and cause undue alarm or distress, while at the same time bringing this to the attention of involved individuals as quickly as possible.
What has Medlab done to protect involved individuals’ data?
We have already taken a number of proactive steps with relevant authorities, where possible, to protect the information of involved individuals, and on Thursday 27 October will commence notifying them of the types of information of theirs that have been involved and additional steps they can take to protect this information.
We are conscious that there is a lot of public concern at present about recent data breach events and we remind all of our community, including those not impacted by this event, to be on alert for telephone and online scams such as phishing emails and communications from unknown senders.
What should Medlab customers do?
If you are a previous Medlab customer, please monitor your email and postal mail for a notification from Medlab over the coming weeks.
If you do receive a notification from Medlab, it will include a tailored information sheet that explains precisely what information of yours is involved, and additional steps you can take to protect yourself against any potential misuse of your information.
Dedicated support team
If you receive a notification from Medlab that you are involved and you have questions, please contact our support team on 1800 433 980 (between 8am – 6pm AEDT Monday to Friday and 10am – 4pm AEDT on weekends). We have support processes in place for contacted individuals to ensure that they understand how the incident involves them and can take the necessary steps to protect their information.
We sincerely apologise that this cyber incident has occurred and for the concern and inconvenience to individuals.
The Information Commissioner’s statement provides:
The Office of the Australian Information Commissioner (OAIC) has commenced an investigation into the personal information handling practices of Medlab Pathology, owned by Australian Clinical Labs, in relation to its notifiable data breach.
This decision follows the OAIC’s preliminary inquiries commenced into the matter in October.
The OAIC’s investigation will focus on whether Medlab took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether they complied with the Notifiable Data Breaches (NDB) scheme.
The investigation will also consider whether Medlab took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).
If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred. the Commissioner may make a determination which can include declarations requiring Medlab to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.
Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.
The NDB scheme ensures affected individuals are informed and can take steps to protect themselves from further risk. Following a breach, individuals need to be alert to any suspicious or unexpected activity on their personal accounts or devices.
“As the risk of serious harm to individuals can increase over time, a key focus for the OAIC is the time taken by entities to identify, assess and notify the office and affected individuals of data breaches,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“Organisations must also be proactive in minimising the risk of data breaches by putting in place reasonable security steps.”
In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.
About Commissioner-initiated investigations
The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 under section 40(2) of the Privacy Act.
Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.