Australian Clinical Labs (ASX: ACL) owned Medlab Pathology has joined a growing list of companies impacted by cyber attacks after revealing a data breach has affected the health records and credit card information of almost 223,000 people, leading to an 11.6 per cent plunge in the parent company's share price in morning trading.
The news comes a day after private health insurer Medibank (ASX: MPL) confirmed hackers accessed data for its entire customer base, as well as information about its ahm and international student clientele. Shares tumbled 18 per cent to $2.87 each off the back of the announcement, wiping approximately $1.75 billion in market value.
Medlab revealed its breach included 17,539 medical and health records associated with a pathology test, 28,286 credit card numbers and names (of which 15,724 were expired), and 128,608 Medicare numbers. The majority of the customers impacted were from NSW and Queensland.
The company notes that there is currently no evidence of misuse of any of the information or any demand made of Medlab or ACL. The compromised server has been decommissioned and ACL’s broader systems and databases have not been affected by the incident.
“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred. We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected,” ACL CEO Melinda McGrath said.
“We are in the process of providing tailored notifications to the individuals involved. We want to assure all individuals involved that ACL is committed to providing every reasonable support to them. We will continue to work with the relevant authorities.”
The unauthorised third-party access to Medlab’s IT systems was brought to the company’s attention eight months ago, which led to the commission of a forensic investigation by independent external cyber experts. At the time, forensic specialists did not find any evidence the information had been comprised.
In June of this year, the Australian Cyber Security Centre (ACSC) approached ACL to inform the group that Medlab information had been posted on the dark web, which ACL took immediate steps to find, download and permanently remove.
Following advice from privacy and legal specialists in cyber matters, ACL implemented a program to uncover what information was hacked and which individuals could be at risk of serious harm as a result of the incident. Due to the highly complex nature of the data set, it has taken forensic analysts and experts until now to ascertain the extent of the breach.
From today, ACL will directly contact impacted patients and staff via email and postal mail to provide them with information about the incident, how it affects them and additional steps that can be taken to protect their information.
ACL has established a dedicated inbound response team in relation to the cyber attack and is also offering free-of-charge credit monitoring or ID document replacement for people who may be at risk of credit or identity fraud. The pathology giant is also working alongside federal and state government authorities.
The incident has been reported to both ACSC and the Office of the Australian Information Commissioner (OAIC).
Get our daily business news
Sign up to our free email news updates.