CAPE York patients’ private medical records may have already fallen into the hands of international crime syndicates lurking on the dark web, a cyber security expert has warned.
Apunipima Cape York Health Council confirmed on Thursday that a third party had accessed its data and possibly downloaded medical records after leaked emails revealed a major data breach.
As first reported by Cape York Weekly, it’s understood the hackers used malicious software known as Lockbit to block users’ access to Apunipima’s computer systems earlier this week.
The systems are now effectively locked and being held ransom by the hackers, who are now seeking an undisclosed payment.
In a statement, the Aboriginal Community Controlled Health Organisation said the Australian Cyber Security Centre and law enforcement authorities had been contacted.
“We are advised that the forensic investigation to determine what precisely has occurred and if any information has been affected, will take some time to complete,” the spokesperson said.
“Should the forensic investigation confirm that anyone’s personal information may have been affected, we will carefully analyse the potentially affected information for the purpose of notifying individuals in a clear and precise manner.
“We will ensure all relevant regulators and authorities are notified and kept informed in this regard.”
University of Queensland cyber director Professor Ryan Ko said hackers preyed on vulnerable organisations and often researched their targets before breaching their data.
“Typically, the users of these ransomware services look at public information,” Professor Ko said.
“They’ll read annual reports, know how much money you turn over and base a ransom on what you can afford.
“Cyber attacks typically come from organised criminals based overseas. Sometimes they are multinational groups spanning across the globe.
“Cyber crime is profitable and it’s relatively easy to evade detection and is very difficult to attribute to the source.”
While some businesses choose to pay ransoms after being hacked, Professor Ko said doing so can be dangerous.
“Some people and some organisations pay the ransom but then get placed into what’s called a ‘sucker list’,” Professor Ko said.
“The criminals then share the ‘sucker list’ and the same organisations get targeted again. So, never pay.
“Instead, we should be constantly backing up our data so we can restore our systems without paying a ransom.
“(Once you’ve been breached), this information can then be sold online on the dark web.
“The key difference between physical crime and cyber crime is that in physical crime you lose the item.
“But when it’s sensitive information, if it’s stolen, the criminal has access to it that can lead to further crimes like identity theft and other sinister uses.”
“We need to understand or inquire about the use of information and its retention,” he said.
With cyber crime on the rise, Professor Ko said private citizens must also consider how they protect personal information.
“You should ask businesses what information of yours is being retained and if it’s retained, what for? In places where age has to be verified, for example, there’s no need for the location to have your address or other details,” he said.
“That’s where legal reforms have to come in. New malware is created every quarter of a second.
“The scale of it is beyond what manual intervention can handle. At the Tokyo Games, in the span of two weeks, they faced 450 million attempted cyber attacks.
“As long as you’re connected to the internet, you’re exposed to these criminal networks. You need to look at ways to protect yourself from attacks.”
State and federal health ministers, Yvette D’Ath and Mark Butler, refused to comment when contacted by Cape York Weekly.