Victorian Ambulance suffers a data breach with personal data of 3,000 employees hacked
March 29, 2025 |
The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.
Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place. Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity. It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration. It is also important to have a data breach response plan, involving roles for members of the organisation. There also needs to be a plan to take court action if necessary. It is common to seek injunctive relief against ex staff or consultants who make off with data. That is not as an alternative to contacting police but complementing such action.
One question the regulators will no doubt ask is whether the person who accessed all of this sensitive data should have had authorisation to do so in the first place. If he or she used someone else’s then how did that happen. And if someone was being let go or resigned why did that person have such access rights on his or her last day?
The Australian article provides:
Police are investigating a massive data breach at Ambulance Victoria after the private financial and personal data of up to 3000 employees was hacked.
The Australian can reveal emergency services chiefs called in Victoria Police and Australian Federal Police on Friday amid fears the security breach had compromised the personal files of thousands of staff.
The prime suspect is a rogue member of staff who recently left the service, but transferred the trove of personal data while they still had access to the ambulance computer system.
Staff names, email accounts, home addresses, mobile and home phone numbers, and emergency contact details are among the looted personal data.
Bank account details, superannuation accounts and Australian Taxation Office numbers of thousands of employees is also believed to have been taken in the hack in which staff gender, birth date, nationality and residency status were also compromised.
Ambulance Victoria chief executive Andrew Crisp alerted staff to the data breach in Friday, in a letter headed “unauthorised transfer of Ambulance Victoria files containing staff personal information”.
“Investigations are ongoing and if appropriate, may proceed to prosecution,” he told staff.
“Ambulance Victoria’s data security systems detected the unauthorised transfer of files containing personal and financial information of AV staff by a now-former employee on their last days of service.
“AV acted immediately to take action to secure and delete those files as well as notifying Victoria Police, the Australian Federal Police and other relevant state and federal cyber and data security agencies.”
Victoria Police has confirmed an investigation is under way.
“Detectives from the cybercrime squad are assessing a report of a data breach affecting a Victorian emergency service organisation,” a police spokesman said.
“Inquiries are under way to determine the circumstances and impact of the incident.”
Ambulance Victoria has been approached for comment.
In his letter, Mr Crisp said staff would be allocated a case manager to help them deal with the impact of the hack and he warned staff to be “vigilant” in moving to secure the personal information in the wake of the security breach.
He said Ambulance Victoria had ordered a review of internal security of computer files and was increasing internal systems to detect suspicious activity.
“We have worked diligently to identify and contain the breached data caused by this incident,” he wrote. “We are continuing to co-operate with relevant regulatory authorities to assist them to undertake a thorough investigation.”
In addition to calling in police, Ambulance Victoria has notified the Victorian Information Commissioner, the Office of the Australian Information Commission-er, the ATO and the Australian Cyber Security Centre.
“While we have been taking, and will continue to take, steps to help reduce any impact to you resulting from this incident, we strongly recommend you also regularly monitor your online services accounts and transaction history for any unauth-orised activity,” Mr Crisp wrote.
Ambulance Victoria has advised staff to review their security settings to protect their information, including updating passwords, enabling two-factor authentication and be on alert for phishing attempts.
The Ambulance Victoria’s statement in 2023 provides:
On Thursday 11 May 2023 Ambulance Victoria (AV) was made aware that documents containing personal information of some current and prospective employees was accessible to other AV employees on the AV intranet.
The documents contained the alcohol and other drug testing results of approximately 600 job applicants undertaken between May 2017 and October 2018. The documents included first name, last name, date of test, results (negative or non-negative, which meant further testing was required) and, where applicable, the class of drug detected and whether AV standards were met or further lab results required.
AV is committed to protecting the privacy of our people and our patients and we are extremely concerned that this personal and health information had been inadvertently accessible on the AV intranet. We recognise the distress this may cause all affected individuals and the public and we unreservedly apologise.
For our patients, we want to reassure you that information you provide us during treatment is safe and protected, and not involved.
All AV employees were notified on 11 May 2023, and AV has contacted current employees directly impacted. As the data included information for prospective employees, we are in the process of contacting anyone who is not a current AV employee. All affected people will be provided with wellbeing and support services, as required.
Our investigation shows the documents have been accessed only a handful of times in the past six months. The documents were not directly accessible to anyone outside the organisation and there is no evidence of them being shared outside AV.
AV immediately removed access to these documents and commenced an investigation including an access audit. Our investigation continues but the documents appear to have been made accessible by error.
AV self-reported this matter to both the Office of the Victorian Information Commissioner and the Health Complaints Commissioner, and we have undertaken to keep them appraised of developments as they arise.
We can confirm that such information is currently handled in accordance with our obligations under the Health Records Act 2001 (Vic) and the Privacy and Data Protection Act 2014 (Vic) and we have taken steps to ensure it does not happen again.
If you believe you have been impacted, have any questions or would like wellbeing support as a result of this privacy breach, please contact enquiriesworkplacerelations@ambulance.vic.gov.au in the first instance.