Pound Road Medical Centre

Summary

Pound Road Medical Centre, a Victorian medical facility with approximately 30 staff, suffered a cyber attack initially detected on 13 November 2024. The Anubis ransomware gang subsequently published sensitive patient data and CCTV footage on 25 February 2025, including medical records, Medicare and pensioner card details, passport scans, and personal information.

What Happened

On 13 November 2024, Pound Road Medical Centre detected suspicious activity on their systems indicating a cyber incident. The medical centre commenced an urgent investigation and took immediate action to contain the breach. Investigation revealed that an unauthorised third party had accessed and exfiltrated patient data from their systems. On 25 February 2025, the Anubis ransomware gang published the stolen data on both darknet and clearnet platforms, including extensive medical data and CCTV footage from the facility.

Impact on Individuals

The breach exposed highly sensitive patient information including medical records, Medicare and pensioner card details, Australian passport scans, dates of birth, names, addresses, email addresses, and phone numbers. The publication of CCTV footage raised additional privacy concerns for patients and staff.

Organisational Response

Pound Road Medical Centre notified both the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) about the incident. The medical centre posted a cyber incident notification online to inform affected patients and commenced an investigation to determine the full scope of the breach.