Share this article on:
A Sydney radiology clinic that was targeted by cyber criminals last year has revealed that it has recovered “the majority” of its patient records after decrypting its main IT systems.
In an update posted to its website, Quantum Radiology said that following the decryption of its main systems, it has analysed “potentially impacted data”, saying that Medicare, Centrelink and possibly Veteran card information could be at risk.
“If we determine that the Medicare card, Centrelink card or Veteran Card information that you provided to us prior to the cyber incident is current and unexpired, we will make every effort to contact you directly by post no later than the 31st July 2024 and provide you with additional steps that you may wish to consider undertaking to protect your personal information,” said the clinic.
“We can confirm that Quantum does not collect or store credit card data, nor does Quantum store scanned copies of Medicare cards or other identity cards (such as Centrelink card or Veteran Card).”
The company does confirm, however, that no My Health Record data was impacted by the incident.
It also said there is no evidence to suggest that any data was posted to the dark web.
Quantum Radiology came under media fire after it left its customers in the dark late last year, cancelling appointments without granting a reason.
Customers visiting one of Quantum Radiology’s 10 locations were only met with a sign at the door that said: “Due to unforeseen circumstances, our IT systems are currently down, and we cannot process any patient appointments until further notice.
“Our team is working to resolve this as soon as possible.”
A spokesperson, speaking to 9News, confirmed the said “unforeseen circumstances” resulted from a cyber attack.
On 1 December, following media coverage of the incident, Quantum Radiology came forward with a public statement.
“Our clinics are temporarily closed as we are investigating a recent cyber incident. As soon as we detected the incident, we took steps to contain it,” the statement said.
“Relevant Australian government authorities and the police have been notified.”
The outage resulted in customers being unable to access their medical results or scans, causing delays for other appointments at specialists and other medical institutions.
In January, the company revealed details of the incident.
“On Wednesday, 22 November 2023, the Quantum Radiology Group became aware of a cyber incident where an unauthorised third party gained access to our IT systems and encrypted the contents of those systems,” said the company.
“As soon as we detected the incident, we took steps to contain it, and appointed forensic specialists to investigate what had happened, engaged by our legal advisors along with other cyber incident response specialists.”
Patients and current employees were affected.
Despite the detailed information provided to staff and the confirmation of the cyber attack posted to the company’s website, internal emails show that staff had been instructed to tell patients that the incident was the result of “an operational IT issue”.
“Whether a patient contacts you by phone or email, or you have a frontline role and speak to patients in person; it is essential that we all provide a consistent message so as [not] to cause confusion or unnecessary concern,” said the email under a tab that said, “What to tell patients.”
“You may tell patients that Quantum has experienced an operational IT issue, and we are working to restore services as soon as possible.