Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Australian local health district could be caught up in Advarra research data breach

NSW’s Far West Local Health District has clinical trial URLs revealed as hackers feud with Advarra executives over messy ransomware negotiations.

user icon David Hollingworth
Fri, 03 Nov 2023
Australian local health district could be caught up in Advarra research data breach
expand image

The ALPHV ransomware gang may have inadvertently gotten hold of data pertaining to clinical trials being carried out by the Far West Local Health District in NSW.

The gang is currently negotiating with clinical research compliance firm Advarra after ALPHV claimed it had successfully hacked the company on 1 November this week, exfiltrating 120 gigabytes of data. As part of the process, ALPHV has been posting a range of material to prove its claims.

Most of the proof-of-hack material currently posted on the gang’s leak site pertains to a particular Advarra executive, who has – ALPHV allege – not entirely been negotiating in good faith. However, one screenshot appears to show details belonging to an Australian health agency.

============
============

One of the tools that Advarra provides its customers is called Clinical Conductor, which is a clinical trial management system apparently used by NSW Health.

And one of the proof-of-hack documents appears to be an internal Advarra log regarding trials run by the Far West Local Health District (FWLHD) in NSW – specifically listing the URL of a Clinical Conductor login portal for the staging and production environments of FWLHD clinical trials.

Another, different, FWLHD URL resolves only to the login page for NSW Health.

ALPHV has claimed that the company has been abusive in negotiations and untruthful in its statements on the hack so far, apparently forcing the hackers’ hand in posting more details of the hack. At the same time, the gang appears to be leveraging some of the material it extracted to directly threaten an individual at the company.

Advarra’s response

For its part, Advarra said the matter has been “contained”.

In a letter to its clients seen by Databreaches.net, Advarra explained that one of its employees had fallen victim to a sim-swapping attack on 25 October, and their phone had been compromised.

“Immediately after becoming aware of this, we took steps to stop the unauthorised activity and are confident that the matter is contained,” Advarra said in the letter. “We immediately retained leading third-party cyber security experts to support our investigation and notified federal law enforcement.”

Advarra does admit that some data was exfiltrated, however.

“The impacted data is believed to have been accessed via Advarra’s internal systems. We are working continuously with outside experts to understand the nature and scope of the impacted data,” Advarra said.

The company said it is aware that the hacker is currently threatening to leak the data, and it is “currently assessing the veracity of those claims and will determine next steps once we have done so”.

According to DataBreaches.net, ALPHV almost certainly has patient data in some form. The outlet contacted the hackers directly and was apparently provided with limited trial patient data by way of confirmation. DataBreaches.net then reached out to the clinic in question and confirmed the data – which included patient diagnosis and medication details – was, in fact, real and accurate.

Cyber Daily has not been able to confirm this data independently, and ALPHV has said it will now delete that clinic’s data entirely.

As to the possible extent of the trial data affected, one of ALPHV’s proof-of-hack screenshots appears to show the file structure of a PC folder containing the names of a large number of Advarra’s clients. The screenshot only shows 21 folders, but they do appear to be listed in alphabetical order and only shows organisations whose name starts with the letter T.

The folders list the names of healthcare organisations such as Tampa General Hospital, Texas Children’s Hospital, and Triple O Research Institute.

ALPHV currently intends to release the data over the weekend and is taking the bold attitude that its victim – Advarra – is, in fact, the party in the wrong.

“We will leak the data on Saturday, if Advarra does not express its intentions to negotiate before then,” ALPHV’s most recent post said. “Executives have been sent the negotiation URL & token. This is your last chance.”

Won’t someone think of the poor cyber criminals? ALPHV, also known as BlackCat, was responsible for the HWL Ebsworth hack, which saw the details of dozens of Australian organisations shared on the darknet.

Cyber Daily has reached out to NSW Health for comment.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.