Medical testing company MedLab and its parent firm, Australian Clinical Labs, took five months after a government warning that customers’ data was on the dark web to tell 223,000 people their personal information had been exposed.

The company, which does COVID-19 tests among a raft of others, first uncovered signs of a hack in February. Cybersecurity contractors investigated the hack but did not find evidence data had been compromised. The company relied on that advice to dismiss a government alert in March about a potential ransomware attack.

Australian Clinical Labs waited months to disclose the breach.Credit:Bloomberg

In June, the Australian Cyber Security Centre found MedLab customer data on the dark web but the company still did not inform its customers because it was analysing the “complex and unstructured” data to determine what information had been taken from which customers.

The breach includes almost 30,000 credit card numbers, some of which are expired, and 128,000 Medicare card numbers, along with smaller numbers of personal identity document information from passports and driver’s licences. The company disclosed in a statement to the ASX on Thursday that 17,539 individual medical and health records associated with a pathology test had also been taken. It is now starting to contact customers.

The Australian Cyber Security Centre declined to comment.

Optus and Medibank were pilloried for their communications in the wake of cybersecurity breaches at those firms, but both issued repeated updates to customers as soon as they became aware of the intrusion.

In a statement, Australian Clinical Labs defended its disclosure. “Given the highly complex and unstructured nature of the data-set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” its statement reads.

Australian Clinical Labs chief executive Melinda McGrath, who the company did not make available for interview, issued a written statement apologising for the incident.

“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected,” McGrath said. “We are in the process of providing tailored notifications to the individuals involved.”

“We want to assure all individuals involved that ACL is committed to providing every reasonable support to them.”

The company said that to date, it was not aware of any misuse of the information or ransom demand and was making free credit monitoring available to customers who require it.

Australian Clinical Labs’ shares were down 7 per cent at 1pm on Thursday.

Rachael Falk, the chief executive of the Cyber Security Co-operative Research Centre, said even if Australian Clinical Labs was unsure whether it legally had to disclose, it should have been transparent.

“My view is as soon as you know you have a breach and you fall under the Privacy Act, even if you’re not sure, disclose, disclose, disclose,” Falk said. “Disclosure and transparency is always the best option.”

The ASX, ASIC, Services Australia and the Office of the Australian Information Commissioner have been contacted for comment.

More to come.

Most Viewed in Technology

From our partners

Source: Read Full Article