This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Royal Women's Hospital

Summary

The Royal Women's Hospital in Melbourne apologised to 192 patients in October 2023 after their personal details were potentially stolen when cybercriminals gained unauthorised access to a staff member's private email account. The breach occurred because the employee had forwarded work emails containing patient information to their personal email account to review and coordinate patient appointments and care strategies. The hospital's official systems were not compromised.

What Happened

In October 2023, cybercriminals gained unauthorised access to a Royal Women's Hospital staff member's private email account. The employee had been using their personal email to forward work-related communications for the purpose of reviewing and coordinating patient appointments and care strategies.

This practice of forwarding work emails to a personal account created a security vulnerability outside the hospital's controlled IT infrastructure. When the personal email account was compromised, patient information contained in those forwarded emails became accessible to unauthorised parties.

Impact on Individuals

A total of 192 patients had their personal details potentially exposed in the breach. While the hospital emphasised that medical records were not accessed and its official email or IT systems were not hacked, patient information related to appointments and care coordination was compromised.

The majority of impacted patients received notifications on a Thursday morning in early October 2023, informing them of the potential exposure of their information. The breach raised concerns about patient privacy and the informal work practices that can create security vulnerabilities.

Organisational Response

The Royal Women's Hospital promptly launched a forensic investigation led by cybersecurity experts to determine the full extent of the breach and which specific patient information had been compromised.

The hospital established a dedicated hotline for affected patients to connect with cyber experts for detailed advice and support. Free counselling services were also made available to help patients deal with the emotional impact of the privacy breach.

The hospital issued an apology to affected patients and clarified that the incident stemmed from an individual staff member's work practices rather than a systemic breach of the hospital's IT security infrastructure.

Verification Source: View original statement