This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Melbourne Heart Group / Cabrini Hospital

Summary

Melbourne Heart Group, a cardiology practice operating at Melbourne's Cabrini Hospital, suffered a ransomware attack in February 2019 that exposed the medical records of approximately 15,000 cardiac patients. The breach compromised highly sensitive health information including cardiac diagnoses, treatment histories, test results, and personal details. Cybersecurity experts described the incident as a warning for Australia's healthcare sector, noting that "the crooks are ahead" of medical providers' security capabilities.

What Happened

Ransomware. A cybercrime syndicate infiltrated Melbourne Heart Group's computer systems and deployed ransomware that encrypted patient files and medical records. Before locking the files, the attackers exfiltrated a database containing the personal and medical information of 15,000 patients treated by the cardiology practice. The attack targeted a specialist medical practice handling particularly sensitive patient data, including detailed cardiac histories, diagnostic imaging, treatment plans, and outcomes. The breach demonstrated the vulnerability of smaller medical practices that may lack the cybersecurity resources of large hospital networks.

Impact on Individuals

  • Highly Sensitive Data: Cardiac medical histories, diagnoses, and treatment information exposed
  • Privacy Breach: Personal details including names, contact information, dates of birth, and Medicare numbers compromised
  • Medical Blackmail Risk: Sensitive health conditions could be used for extortion or discrimination
  • Insurance Implications: Exposure of pre-existing cardiac conditions could affect future insurance applications
  • Identity Theft: Combination of health and personal data useful for medical identity fraud

The exposure of cardiac patients' medical records was particularly concerning given the sensitive nature of heart conditions and their potential impact on employment, insurance, and personal relationships.

Response

Melbourne Heart Group immediately notified affected patients and reported the breach to the Office of the Australian Information Commissioner. The practice engaged cybersecurity forensic experts to investigate the attack and assess the extent of data compromise. Patients were advised to monitor their medical records for any unauthorised access and to be alert for potential phishing or fraud attempts. Cabrini Hospital and Melbourne Heart Group implemented enhanced security measures and reviewed their data protection practices. The incident sparked broader discussions within Australia's medical community about the need for stronger cybersecurity standards in healthcare, particularly for specialist practices that handle sensitive patient data but may lack dedicated IT security teams. +++

Verification Source: View original statement