Share this article on:
The investigation into the St Vincent’s Heath cyber attack has been completed, with investigators revealing that no health or personal information was stolen.
The attack on the healthcare agency occurred late last year, resulting in the theft of 4.6 gigabytes of data, although there was no evidence that data had been used for malicious purposes.
Since the attack, researchers from cyber security firm CyberCX have been investigating the incident to determine whether or not patient information had been included in the stolen data.
Now, investigators have said the probe is finished and have determined that no personal or health data was stolen.
The 4.6 gigabytes of stolen data was made up of system configuration and network credential data. It is currently unknown who was behind the attack.
While some customers were displeased with St Vincent’s response, with the healthcare organisation not informing all customers due to not knowing what data had been compromised originally, the agency’s chief executive, Chris Blake, has said he briefed Minister for Cyber Security Clare O’Neil on the details of the investigation on Wednesday (24 January).
“We are deeply proud of how our people serve their patients and residents with the highest level of care every single day,” he said.
“We are deeply appreciative of how the federal government has supported us to navigate an unenviable situation made harder owing to the time of year this occurred.
“In particular, the support of the acting national cyber security coordinator, the National Office of Cyber Security, the Australian Signals Directorate, the Australian Federal Police and the Department of Health and Aged Care has been invaluable to us.
“The early engagement and strong support provided by the federal government gave St Vincent’s the confidence to respond to this incident with both our partners and stakeholders but also with the public with transparency.”
Despite the thankfulness, St Vincent’s could still receive a fine for the incident if it is discovered that the group’s cyber safety standards were below the required levels, particularly as it is a critical infrastructure organisation.
Throughout the outage, hospital and healthcare operations remained normal and continue to operate normally.
“To date, this incident has not affected the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks,” St Vincent’s said in its initial announcement.
The incident also engaged the assistance of acting national cyber security coordinator Hamish Hansford, who released a statement saying he was working with the National Office of Cyber Security.
“My team is working with Services Australia, the Department of Health and Aged Care, and relevant state and territory agencies to ensure a coordinated government response to this incident and to mitigate any flow-on effects,” the coordinator said in a statement on LinkedIn.
“The Australian Signals Directorate’s Australian Cyber Security Centre is also working closely with St Vincent’s.”