Exclusive: Hackers publish alleged patient data and CCTV footage following medical centre cyber incident

“In this article you will find: Personal data of Australian residents (medical cards, passports, DOB and a lot of personal information), Internal documents of the company showing how much the company does not take seriously the injuries of its patients and complete non-compliance with safety standards that led to the leakage of patient data,” the group alleged in an overnight leak post.

PRMC is a medical centre based in Narre Warren South in Victoria and provides services to patients in Narre Warren South, Narre Warren, Hampton Park, Hallam, Berwick, Cranbourne, Lynbrook, Clyde, Endeavour Hills, and surrounding suburbs.

In a full article published on its leak site, Anubis names specific patients, medical histories, and incidents within the medical centre in an attempt to highlight just how detailed the exfiltrated data is.

The group also claims it has access to reports that highlight cases of malpractice within PRMC.

VIEW ALL

“Expired vaccines, loss of Morphine ampoules, vaccinating patients without their consent, defrosting refrigerators with medicines and other cases,” it said.

Anubis also posted a CCTV footage clip of an alleged patient having an adverse reaction in the practice.

Anubis also refers to a number of critical incident reports as evidence; however, these were inaccessible to Cyber Daily and could not be verified.

While Cyber Daily has been unable to source comment from PRMC regarding this latest incident, the medical centre posted a data breach notification on its website on 13 November 2024.

“On 13 November 2024, Pound Road Medical Centre (PRMC) was alerted to activity on our systems, which indicated a potential cyber incident had occurred. We have commenced an urgent investigation into that activity and taken immediate action to contain the incident,” the breach notification said.

“Unfortunately, our investigations have identified that patient data may have been accessed and taken from our systems by an unauthorised third party.“

The notification adds that data potentially accessed includes patient medical information, Medicare and pensioner card details, personal details such as names, addresses, email addresses and/or phone numbers and more.

Additionally, PRMC said that both the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) had been informed of the incident.

At the time of the alleged breach, PRMC claimed that “health and other sensitive personal information by itself is generally not useful to a cyber criminal”.

However, the significance of medical data has been proven by multiple cyber security firms and researchers.

“Malicious actors can exploit medical data in various ways, including identity theft, insurance fraud, and blackmail. Unlike financial data, which has a limited shelf life because it is relatively easy to change, leaked medical records are permanent and therefore hold long-term value,” Matt Green, principal threat analyst at Rapid7, told Cyber Daily.

“Anubis’s extortion methods appear to involve writing investigative-style reports about victims, publishing hidden blog posts, and notifying regulatory bodies to apply pressure. This structured approach to cyber extortion suggests a high level of organisation.”

Healthcare entities are also remarkably vulnerable to penetration because of the fluid and always-evolving nature of a patient’s medical care and because of the number of clinicians, facilities and transactions required to connect patient care across multiple settings.

This is not the first time PRMC has dealt with a data privacy incident. As pointed out by Anubis itself, in 2014, the OAIC reported on a 2013 incident in which it was determined that PRMC had “breached the Privacy Act by failing to take reasonable steps to secure personal information it held”.

In the incident, PRMC was storing physical copies of patient medical records in boxes stored in an unsecured shed, which was broken into, resulting in patient data compromise.

However, mitigating circumstances and PRMC’s promise to bolster its security saw the case dismissed without criminal liability.

“As we can see, PRMC does not draw conclusions from their mistakes, otherwise you would not be reading the article you are reading now,” Anubis said in its leak post.

“We hope that the company will take this leak more seriously than the OAIC warning, which seems to have had no effect in nine years.”

Anubis appears to be a relatively inexperienced newcomer to the ransomware scene with a focus on harm maximisation, according to one cyber security researcher, and has so far posted only four victims to its dark web leak site, including PRMC. According to security researchers, the gang appears to be Russian speakers and is a ransomware-as-a-service currently in the process of actively recruiting affiliates.

“We specialize in disseminating company data leaks supplied to us by our anonymous sources,” Anubis’ leak site said on its About page.

“All data published in our articles and investigations are 100% authentic and exclusive, coming directly from the companies’ computer networks.”

Updated 26/02/2024 - Added Rapid7 commentary.