This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Diabetes WA

Summary

Diabetes WA, a Western Australian healthcare organization providing services for people with diabetes, disclosed a data breach on April 2, 2024 affecting users of its telehealth service. The breach occurred when a single compromised user account was exploited by a third party, providing access to personal information including Medicare numbers, health details, and contact information. The organization quickly detected and contained the breach, blocking the compromised account and notifying all affected individuals.

What Happened

An unauthorized third party gained access to a single Diabetes WA user account, likely through credential compromise such as phishing or password theft. The compromised account provided access to the personal information of contacts who had engaged with Diabetes WA's Telehealth Service.

Diabetes WA detected the unauthorized access and promptly blocked the compromised account to prevent further intrusions. The organization activated its Cyber Security Response Plan and launched an investigation to determine the full scope of the breach and identify all affected individuals.

The breach was limited to the telehealth service database and did not extend to detailed medical records or clinical information stored in other systems. However, the accessed information still included sensitive health-related data that could be used for identity theft or medical fraud.

Impact on Individuals

The breach affected individuals who had contacted Diabetes WA's Telehealth Service and exposed:

  • Full names and contact information (addresses, emails, phone numbers)
  • Dates of birth
  • Medicare numbers
  • Marital status and Indigenous status
  • Referring doctor information
  • Diabetes type diagnosis
  • Telehealth service engagement records

While detailed medical records and clinical notes were not accessed, the compromised information still poses significant risks:

Medicare fraud: Medicare numbers can be used to fraudulently claim government health benefits or obtain prescription medications

Identity theft: The combination of name, date of birth, address, and Medicare number provides substantial information for creating fraudulent identities

Targeted health scams: Knowledge of diabetes diagnosis and referring doctors enables convincing medical scams impersonating healthcare providers or diabetes supply companies

Privacy invasion: Disclosure of health conditions (diabetes type) and demographic information (Indigenous status, marital status) represents a serious privacy breach

Discrimination risk: Unauthorized disclosure of health conditions could potentially lead to employment or insurance discrimination

Organisational Response

Diabetes WA responded swiftly by blocking the compromised account and activating its Cyber Security Response Plan. The organization conducted a thorough investigation to identify all affected individuals and determine what information was accessed.

All affected individuals were directly contacted and advised to:

  • Obtain a new Medicare card number via MyGov or by contacting Services Australia
  • Monitor Medicare claims for any suspicious or unauthorized activity
  • Be alert for phishing attempts or scams impersonating Diabetes WA or related health services
  • Contact IDCARE for additional identity theft support and guidance

Diabetes WA notified the Office of the Australian Information Commissioner as required under the Notifiable Data Breaches scheme and cooperated with authorities to investigate the incident.

The organization emphasized that the breach was quickly detected and fully contained, with no evidence of ongoing unauthorized access after the compromised account was blocked. However, the incident highlighted the risks of credential-based attacks on healthcare organizations, where a single compromised account can provide access to sensitive patient information.

The breach added to growing concerns about cybersecurity in Australia's healthcare sector, which has faced an increasing number of data breaches targeting sensitive medical information. Diabetes WA's relatively rapid detection and containment demonstrated the value of active monitoring and incident response capabilities in minimizing breach impact.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement