Investigators say they have completed their forensic probe into last month’s St Vincent’s Health cyberattack, and that no personal or health information was taken.
Last month’s attack, which was first reported by this masthead, involved the theft of 4.3 gigabytes of data, and investigators from cybersecurity firm CyberCX had been working over the past month to determine if patient data had been compromised.
On Thursday, the investigators said that cyber criminals had pilfered system, configuration data and network credential data, but that personal information including driver’s licences, passports, Medicare cards, medical records and banking information was not taken.
“As part of our immediate response we have been undertaking necessary system remediation activities. This includes enhancing our 24-hour, 7-day a week monitoring across our digital environment to detect and respond to suspicious activity,” a spokesman for St Vincent’s Health told this masthead.
“At all times our priority has been to maintain the safe operation of our hospital, aged care, community, virtual and home care services.
“We have committed to engaging transparently with our people, our patients and residents, our valued partners and the community as the situation has developed. We have briefed federal and state governments, including regulators on the findings of this investigation.”
The cyberattack was carried out by a sophisticated group of cybercriminals who gained access to the organisation’s data through a compromised account, investigators believe, in a breach similar to the one that crippled Medibank almost a year ago.
Some patients had criticised St Vincent’s for what they said was a lack of communication, while a source close to the hospital most St Vincent’s patients had not been contacted about the cyber incident because it was unclear if any personal information had been stolen.