Share this article on:
Breaking news and updates daily. Subscribe to our Newsletter
The ALPHV ransomware gang has struck at a Melbourne pathology firm, getting away with detailed patient records after utilising a third-party supplier’s login details to gain access.
The incident was first noted on 24 August, when the threat actor contacted TissuPath, threatening to publish patient information within 48 hours if no payment was made. An investigation followed, after which TissuPath confirmed the breach and enacted its cyber security plan.
While TissuPath’s incident report does not mention the threat actor by name, threat intelligence platform Falcon Feeds ascribes the attack to ALPHV. The threat actor’s own TOR leak site is currently down.
The patient data affected includes names and dates of birth, gender, and phone numbers and addresses if provided by the patient. Medicare and health insurance numbers and details of the doctors each patient was referred by are also affected.
TissuPath has said that no billing information was impacted, as it is not stored on any affected systems. The company has not shared how many of its patients have been impacted by the hack, but it did say that the data related to referrals made between 2011 and 2020.
“The TissuPath Pathology specimens and referrals are for suspected cancer patients,” TissuPath said in its incident report. “Such data is retained for 20 years and reported as per National Pathology Accreditation Advisory Council (NPAAC) specifications.”
The threat actor gained initial access via a third-party supplier, one of whose storage drives had been accessed due to “a vulnerability on their remote access toolkit (RAT)”. From here, the actor was able to access admin accounts, which they, in turn, used to access TissuPath’s network.
TissuPath’s response has, however, been thorough. The company has contacted doctors whose patients were affected (it does not keep email addresses of its patients), and reset all user passwords, as well as blocking all third-party access to its network.
“TissuPath promptly reported the security incident as a notifiable data breach to the Office of the Australian Information Commissioner and Australian Cyber Security Centre,” the pathology firm said. “TissuPath is now actively working with the Australian Cyber Security Centre representatives.”
The company also shared a list of actions and advice those affected by the breach should take, from being aware that scammers may be making use of the data and misrepresenting themselves as TissuPath representatives to staying alert for any “suspicious activity across all online accounts”.
ALPHV – also known as BlackCat – appears to have been quite busy targeting Australian businesses in the past week, as it apparently listed two other local victims on its leak site.
Strata operators Strata Plan was listed, as was real estate agent Barry Plant – both based in Victoria.
Lisa Pennell, chief executive of Barry Plant, has said that its exposure from the incident is minimal and is limited to one branch office.
“We have become aware that a third-party supplier to a small part of the property management business of one of our franchised offices has had a cyber incident,” Pennell told Cyber Security Connect. “This supplier is an IT-managed service provider and not owned or related directly to the Barry Plant Group more broadly other than providing their service to this specific local office in Blackburn.”
“To be clear, the Barry Plant Group’s systems have not been impacted by this incident – it is an isolated matter.
“We are supporting our franchisee and have engaged market-leading experts to help us assess the situation.”
Pennell also told Cyber Security Connect that Barry Plant is “working diligently” to further investigate the incident.
Cyber Security Connect has contacted Strata Plan for comment.
ALPHV has a history with third-party hacks, as it was the threat actor behind a string of data breaches relating to the now infamous HWL Ebsworth hack in June, which impacted dozens of Australian organisations and government agencies.
Comments powered by CComment