St Vincent Health Network suffers a data breach but it is not isolated. There is a pattern of cyber attacks on health facitilies world wide.

January 1, 2024 |

St Vincent’s Health Network suffered a data breach on 19 December 2023. When first reported the details of what personal information was stolen was not known. According to the Australian as of 25 December 2023 St Vincent’s was still unable to determine what if any medical records were stolen, in St Vincent’s unable to confirm if medical records stolen. On 29 December 2023 St Vincent’s Health Australia released a statement. It provides:

Since its statement last Friday regarding the attack by cyber criminals, St Vincent’s has been working tirelessly with federal and state governments, law enforcement, and our cyber experts.

Today we again briefed our close to 30,000 team members on the latest information regarding this investigation and monitoring work.

The staff at St Vincent’s provide some of the best care in the world to our patients and residents. Our key priority in responding to this cyber criminal attack has been to preserve and protect the critical work of our staff on behalf of millions of Australians every year.

On Tuesday, 19 December, St Vincent’s began responding to a cyber security incident.

On that day, St Vincent’s immediately took steps to contain the incident, engaged external security experts CyberCX, and notified all relevant state and federal governments and their necessary agencies.

No cyber criminal activity has been detected on St Vincent’s networks since Wednesday, 20 December.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on the morning of Friday, 22 December.

St Vincent’s continues to investigate this cyber crime. Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity.

Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.

To date, the activities of the cyber criminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.

We thank the Australian Government, our state government partners, and our commercial and clinical partners, for their support.

We have also updated federal and state government authorities, including the Australiann Cyber Security Centre and the Office of the Australian Information Commissioner, as well as our key partners, and stakeholders.

The Australian Federal Police are engaged with the matter and St Vincent’s is fully supporting their criminal investigation.

We have established a dedicated support line 1300 124 507, as well as a dedicated email address stvincentscybersafety@svha.org.au, for anyone wishing to seek further information about this matter.

Media contact: Dexter Gillman 0439 393 196

Q&As

When did St Vincent’s first become aware that they were experiencing an incident?

On Tuesday, 19 December 2023, St Vincent’s Health Australia (SVHA) began responding to a cyber security incident.

SVHA immediately took steps to contain the incident, engaged external cyber security experts, and notified all relevant state and federal governments and the necessary agencies.

The investigation into this incident is ongoing.

Why did it take until Friday 22 December 2023 to tell the public?

St Vincent’s took immediate steps to contain the incident upon its discovery. We also engaged external security experts, notified all relevant state and federal governments and their necessary agencies.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on Friday morning.

What steps did St Vincent’s take to understand the incident?

Our teams have worked tirelessly through the night, and into today to:

•    Implement enhanced monitoring of St Vincent’s networks and systems;

•    Deploy investigatory tools; and

•    Review system logs and telemetry.

At this time, no new activity by the threat actor has been detected inside St Vincent’s networks since early morning Wednesday, 20 December. Containment activities are still ongoing.

Do you know who might be behind this incident?

Not at this time.

Do you know if any information that may be sensitive (corporate or personal) may have been accessed?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

Do you have any evidence data has been removed from your network?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

When will SVHA be able to say what type of data was stolen?

This is a complex and highly technical investigation, and we do expect it will take some time before we know exactly what data was taken from our systems.

How will you notify patients or staff if their data has been stolen?

Should we discover that any sensitive information has been stolen by cyber criminals, we will do all that we can to contact the impacted persons to inform them of this, give them information about the steps that they can take to protect themselves and support them through that process.

Are hospital operations impacted?

At this time, our ability to deliver the frontline services that our patients, residents, governments and the broader community rely on us for, has not been impacted. We are managing some network disruptions as part of our remediation works.

What support is available?

We have established a dedicated support line 1300 124 507 and email address stvincentscybersafety@svha.org.au for anyone with additional questions about this matter.

St Vincent’s statement when issued was quite good as far as it went.  In fact, very good by Australian standards.  It was the basis for the Australian report in St Vincent’s Health still trying to work out if personal medical records stolen in cyber attack

While the statement provided a good overview it continues with the unfortunate usual Australian practice of not providing, even in the most general terms, the cause of the breach.  That is can give rise to criticism.  Just ask the executive s of Medibank and Optus which was a bleeding wound that took months to be only partially staunched.  While providing too much detail is not necessary and can be  poor practice in highlighting weaknesses that may be exploited with other organisations it goes too far to fail to provide some information, even in very general terms, as to how it occurred is appropriate. Withholding information can be embarrassing if the media finds out what caused the breach.  That seems to be case here as the Australian Financial Review (the “AFR”) provides details not provided by St Vincent’s Health in Revealed: St Vincent’s hackers got in with compromised accounts.  The AFR has found a source working with or having access to the investigators who described the entry as being through “compromised accounts.”  That seems to have been confirmed to the Sydney Morning Herald with St Vincent’s cyberattack work of sophisticated criminals, say investigators   Such a means of infiltration is quite common. It was the cause of the Medibank data breach.  As the compromised accounts were not placed on the dark web it is likely that there was some overt steps to locate/target an account linked with St VIncent Health.   

There is another dimension to this data breach.  As the health network is critical infrastruture it is covered by specific legislation, the Security of Infrastructure Act 2018.  As the Sydney Morning Herald reports in Home Affairs flags probe of St Vincent’s cybersecurity after Christmas hackHome Affairs flags probe of St Vincent’s cybersecurity after Christmas hack, the Department of Home Affairs may investigate the breach.

Legally St Vincents’ seems to have taken a conservative approach and notified the regulators. That may not resolve future problems for St Vincent’s Health as it is not sure what, if any, data was exfiltrated. That poses a reputational problem, particularly if data was taken and used by cyber criminals before St VIncent’s can advise those affected. Itnews reports that the analysis could take time. That is not good news.

The Australian article provides:

One of Australia’s largest health networks that was the subject of a cyber security breach still has no idea whether hackers stole sensitive medical data ten days after the attack.

St Vincent’s hospital on Friday revealed it had not figured out whether cyber criminals stole any personal information or even the contents of the data stolen more broadly.

“St Vincent’s continues to investigate this cyber crime. Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity,” it said.

“Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.”

Peak medical bodies, unions and the opposition have blasted the organisation amid concern it had failed to protect private information which could undermine Australia’s confidence in the hospital system more broadly.

St Vincent’s, operator of 10 hospitals and 26 aged-care facilities in NSW, Queensland and Victoria, confirmed it was first hacked last Tuesday which prompted the hospital to notify relevant state and federal governments.

However, it waited until Friday until it notified the public and staff members, after it found evidence that cyber criminals had removed data from its network on Thursday evening.

“No cyber criminal activity has been detected on St Vincent’s networks since Wednesday 20 December,” the organisation said.

“Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed from data from the network. We notified regulators, governments, our staff and the public of this information on the morning of Friday, 22 December.”

The Coalition on Friday called on the government to publicly confirm and reassure Australians it was assisting the hospital to figure out what was stolen.

In a joint statement from Opposition health spokeswoman Anne Ruston and Opposition home affairs spokesman James Paterson, the Opposition urged Labor to “assure Australians that our nation’s crucial health infrastructure – and the data it holds – are secure”.

“The Opposition has been calling on the government for over a week to publicly confirm and reassure Australians that they are assisting St Vincent’s in identifying what information was compromised in the data breach. At a time where national leadership is most needed we have an acting Minister for Cyber Security and an acting National Cyber Security Coordinator managing this incident,” the statement said.

“This government must give cyber security the attention it deserves to assure Australians that our nation’s crucial health infrastructure – and the data it holds – are secure.”

Acting Cyber Security Coordinator Hamish Hansford said it often takes some time to ascertain how the cyber attack occurred in incidents where the organisation has large and complex networks.

Mr Hansford said Australians should feel “confident that St Vincent’s has expert cyber teams in place monitoring their networks to support the delivery of health and aged care services at this time”.

The AFR article provides:

Hackers broke into St Vincent’s Health Australia using compromised accounts that have not yet been found on the dark web, suggesting the organisation was specifically targeted by sophisticated criminals.

The Australian Financial Review confirmed the intrusion method with a source close to the investigation into the hack that St Vincent’s detected last week, and which resulted in data theft and network disruptions.

“While we have identified the compromised accounts used in the recent cyberattack against St Vincent’s, despite extensive sweeps, we are yet to find evidence of these accounts available on credential marketplaces or the dark web,” said the source, who was not authorised to be named.

Hackers broke into private health insurer Medibank using a similar method last year, while stevedore DP World fell victim this year to a security flaw in a remote access system that it had failed to patch. Telco Optus has never disclosed how it was hacked, but an anonymous account from the hacker said they had simply found a system that would send customer data on request.

A spokesman for St Vincent’s, which is the largest not for profit health provider in Australia, said on Friday it was still investigating how the criminals got in.

Major password-stealing gangs were offering logins from the organisation in the months before the hospital and retirement home operator revealed it had been hacked.

But there is no indication those credentials, which are offered as teasers to encourage criminals to buy further compromised accounts, were used in the attack.

Instead, they demonstrate how the loose networks of cybercrime groups that target large Australian organisations function online and point to the larger numbers of compromised accounts that are harder to track down.

The teaser logins available online are from the “stealer” groups, which obtain them by infecting computers with malware, include purported passwords and usernames to access St Vincent’s devices remotely.

The malware tools include RedLine, Racoon, AZORult and Vidar, which users typically inadvertently install when they are seeking pirated software or click an infected link.

Jamieson O’Reilly, the chief executive of cybersecurity company Dvuln who located the credentials, said hackers on-sold the logins to other criminals for exploitation because it reduced their risk.

It also let them stay undetected on infected computers and generate subscription payments – which could cost around $US180 a week – from other gangs as they captured updated passwords.

“It’s like a farmer going to take the monthly crop to market. They collect the passwords and sell them again,” Mr O’Reilly said.

‘Perfect storm’

Some of the stolen credentials appeared to come from computers running Windows Home – which is usually used for personal devices – that had access to St Vincent’s work services.

“So you have a really perfect storm where they have a personal computer infected but they are accessing work services from home with a device that isn’t as well locked down,” Mr O’Reilly said.

The St Vincent’s spokesman noted that it was common for large organisations in Australia and overseas to have to deal with employee credentials circulating on the dark web. He said the organisation monitored for stolen logins and reset them when they were found.

“Every potentially compromised St Vincent’s credential that has been brought to our attention as part of this incident has been reset,” the spokesman said.

St Vincent’s is still trying to piece together what data was taken in the hack. It has said it will alert individuals if it finds personal data was snatched.

Acting national cybsersecurity coordinator Hamish Hansford said Australians should be reassured by St Vincent’s response.

The St Vincent’s spokesman said the hack had not affected its healthcare services. But, “we are managing some important network disruptions as part of our remediation works”.

“No cyber criminal activity has been detected on St Vincent’s networks since Wednesday, 20 December,” he said.

Bleeping Computer reports that LockBit affiliates are targeting hospitals. They have also successfully attacked against Yakult Australia.  The article provides:

It’s been a quiet week, with even threat actors appearing to take some time off for the holidays. We did not see much research released on ransomware this week, with most of the news focusing on new attacks and LockBit affiliates increasingly targeting hospitals.

These attacks include ones against Yakult Australia and the Ohio Lottery by the new DragonForce ransomware operation.

The most concerning news is that LockBit affiliates increasingly target hospitals in attacks, even though the ransomware operation says it’s against the rules.

In December 2022, one week before Christmas, a LockBit affiliate attacked the Hospital for Sick Children (SickKids) in Toronto, causing diagnostic and treatment delays. The ransomware operation said this was against the rules and issued a free decryptor.

However, this week, we learned that LockBit attacked three hospitals in Germany, disrupting emergency room services.

We also learned about two New York hospitals seeking a court order to have Boston cloud storage company Wasabi Technologies return stolen data stored on one of its servers by the LockBit ransomware gang.

According to a court order, the Carthage Area Hospital and Claxton-Hepburn Medical Center were attacked in September, with the LockBit affiliate renting cloud storage at Wasabi to store stolen data.

The two hospitals now request that the courts force Wasabi to provide and delete the data from their servers. The court documents indicate that Wasabi is already working with the FBI and has shared a copy of the stolen data with them.

Finally, Microsoft once again disabled the MSIX ms-appinstaller protocol handler after deactivating it in February 2022 and then enabling it again in 2023 for some unknown reason.

However, as malware campaigns continue to abuse this feature, which could lead to ransomware attacks, the feature has again been disabled.

There is a very fine line between a responsible and reasonable response to a data breach which does not bring permanent reputational damage and minimises costs and one which is an unmitigated disaster bringing political, legal and media pressure followed by regulatory action and damaging litigation.  Having a data breach response plan, covering technical, legal and media contingencies is critical.  After years of data breaches, cyber and of the more analog variety, it remains a constant source of surprise how poorly many organisations handle data breaches.  Tech Crunch has set out in Here we go again: 2023’s badly handled data breaches that 2023 was replete with mishandled and tone deaf responses to data breaches worldwide.  In Australia the Optus and Medibank data breach responses were cack handed. 

The article provides:

Last year, we compiled a list of 2022’s most poorly handled data breaches, looking back at the bad behavior of corporate giants when faced with hacks and breaches. That included everything from downplaying the real-world impact of spills of personal information to failing to answer basic questions.

Turns out this year, many organizations continue to make the same mistakes. Here’s this year’s dossier on how not to respond to security incidents.

Electoral Commission hid details of a huge hack for a year, yet still tight-lipped

The Electoral Commission, the watchdog responsible for overseeing elections in the United Kingdom, confirmed in August that it had been targeted by “hostile actors” that accessed the personal details — including full names, email addresses, home addresses, phone numbers and any personal images sent to the Commission — on as many as 40 million U.K. voters.

While it may sound like the Electoral Commission was upfront about the cyberattack and its impact, the incident occurred in August 2021 — some two years ago — when hackers first gained access to the Commission’s systems. It took another year for the Commission to catch the hackers in the act. The BBC reported the following month that the watchdog had failed a basic cybersecurity test around the same time hackers gained entry to the organization. It has not yet been revealed who carried out the intrusion — or if it is known — and how the Commission was breached.

Samsung won’t say how many customers hit by year-long data breach

Samsung has once again made it onto our badly handled breaches list. The electronics giant once again took its typical tight-lipped approach when faced with questions about a year-long breach of its systems that gave hackers access to the personal data of its U.K.-based customers. In a letter sent to affected customers in March, Samsung admitted that attackers exploited a vulnerability in an unnamed third-party business application to access the unspecified personal information of customers who made purchases at its U.K. store between July 2019 and June 2020.

In the letter, Samsung admitted that it didn’t discover the compromise until more than three years later in November 2023. When asked by TechCrunch, the tech giant refused to answer further questions about the incident, such as how many customers were affected or how hackers were able to gain access to its internal systems.

Hackers stole Shadow data, and Shadow went silent

French cloud gaming provider Shadow is a company that lives up to its name, as an October breach at the company remains shrouded in mystery. The breach saw attackers carry out an “advanced social engineering attack” against one of Shadow’s employees that allowed access to customers’ private data, according to an email sent to affected Shadow customers.

However, the full impact of the incident remains unknown. TechCrunch obtained a sample of data believed to be stolen from the company that contained 10,000 unique records, which included private API keys that correspond with customer accounts. When asked by TechCrunch, the company refused to comment, and would not say whether it had informed France’s data protection regulator, CNIL, of the breach as required under European law. The company also failed to make news of the breach public outside of the emails sent to affected customers.

Lyca Mobile refused to say what kind of cyberattack hit

Lyca Mobile, the U.K.-headquartered mobile virtual network operator, said in October that it had been the target of a cyberattack that caused widespread disruption for millions of its customers. Lyca Mobile later admitted a data breach, in which unnamed attackers had accessed “at least some of the personal information held in our system” during the hack.

It’s now more than two months later, and Lyca Mobile has still not said what data was stolen from its systems (despite storing sensitive personal information, such as copies of identity cards and financial data), or how many of its 16 million customers were impacted by the breach. Despite repeated requests by TechCrunch, the company has also refused to comment on the nature of the incident, despite the incident presenting as ransomware.

MGM Resorts still hasn’t said how many customers had data stolen after hack

The breach of MGM Resorts is one of the most memorable of 2022; the incident saw hackers associated with a gang known as Scattered Spider compromise the company’s systems to cause weeks of disruption across MGM’s Las Vegas hotels and casinos. MGM said that the disruption will cost the company at least $100 million.

MGM first disclosed that it had been targeted by hackers on September 11. But it wasn’t until October that the company confirmed in a regulatory filing that the attackers had obtained some personal information belonging to customers who transacted with MGM Resorts prior to March 2019. That includes customer names, contact information, gender, dates of birth, driver license numbers, Social Security numbers and passport scans for some customers.

It’s now more than three months later and we still don’t know how many MGM customers were affected. MGM spokespeople have repeatedly declined to answer TechCrunch’s questions about the incident.

Dish breach may affect millions — potentially a lot more

Back in February, satellite TV giant Dish confirmed in a public filing that a ransomware attack was to blame for an ongoing outage and warned that hackers exfiltrated data from its systems that may have included customers’ personal information. However, Dish hasn’t provided a substantive update since, and customers still don’t know if their personal information is at risk.

TechCrunch learned that, despite the company’s silence, the impact of the breach could extend far beyond Dish’s 10 million or so customers. A former Dish retailer told TechCrunch that Dish retains a wealth of customer information on its servers, including customer names, dates of birth, email addresses, telephone numbers, Social Security numbers and credit card information. The person said that this information is retained indefinitely, even for prospective customers who didn’t pass Dish’s initial credit check.

CommScope late to tell its own employees that their data was stolen

TechCrunch heard from CommScope employees who say they were left in the dark about a data breach at the company affecting their personal information. The North Carolina-based company, which designs and manufactures network infrastructure products for a range of customers, was targeted by the Vice Society ransomware gang in April. Data leaked by the gang, and reviewed by TechCrunch, included the personal data of thousands of CommScope employees, including full names, postal addresses, email addresses, personal numbers, Social Security numbers, passport scans and bank account information.

CommScope declined to answer our questions related to the leaked employee data, and it also failed to answer those affected. Several employees told TechCrunch at the time that CommScope executives remained tight-lipped about the breach, saying little beyond it does “not have evidence” to suggest employee data was involved.

Leave a Reply





Verified by MonsterInsights