Conflicting claims of a cyber attack on a major hospital have emerged after a private cancer specialist revealed his own IT systems were targeted with sensitive patient data seemingly leaked, highlighting the risks to doctors in private practice.
Media reports earlier this month suggested the Crown Princess Mary Cancer Centre at Westmead Hospital, Sydney, had fallen victim to hackers after cyber criminal group Medusa threatened to release patient data stolen from the facility.
Posting on the dark web, the cyber gang set a seven-day countdown clock along with demands for a ransom of $US 100,000 to be paid to a bitcoin address.
It also provided a “proof pack” and listed more than 10,000 files on its system, according to cyber researchers at databreaches.net [link here].
However, it now appears the criminals actually hacked into the IT systems of Associate Professor Felix Chan, a gynaecological oncologist who has rooms located at Westmead Private Hospital, rather than the cancer centre itself.
In a statement on his website [link here], Dr Felix, who specialises in robotic surgery, said he became aware that he had been targeted in a cyber incident on 1 May.
“In response, I took immediate action to safeguard patients and contain the incident by engaging external cyber security experts, and I am actively working with the NSW government and other regulators,” Professor Chan wrote.
“I understand that this news will be concerning to current and former patients, and I apologise for the distress and uncertainty that patients may be feeling.
“My number one priority is ongoing medical care and support of my patients.”
Professor Chan, who is known for pioneering multiple techniques in robotic gynaecological surgery and performing the first single site robotic hysterectomy in Australia in 2013, said disruption to patient care had been minimal.
“Cyber security specialists are working around the clock to ensure that the practice’s systems are secure, to determine how this incident began, and to identify which patients may have had their personal information compromised.
“I will continue to provide updated information to our patients, and the broader community as the investigation continues.”
Police were investigating the incident, according to The Australian.
In a Twitter thread on 5 May, Victorian journalist Else Kennedy, who claimed she had accessed the dark web after a loved one was caught up in the incident, said 18 files had been uploaded to Medusa’s blog, all containing sensitive information.
All of the files were linked to Professor Chan, she said.
She claimed the details leaked online included names, medicare numbers, addresses, dates of birth, diagnoses, prescriptions, treatment plans and costs.
I've gone into the dark web swamp to see the Crown Princess Mary Cancer Centre ransom threat.
This is what I think you should know if, like me, you've got a loved one caught up in this mess: 1/ pic.twitter.com/RYOjdbLeN3
— Else Kennedy (@elsekennedy) May 5, 2023
NSW Health has distanced itself from the cyber attack.
“No threats have been identified impacting NSW Health systems, NSW Health databases, nor Crown Princess Mary Cancer Centre databases,’’ a spokesman told the Australian.
“The NSW government identified the incident impacted a third-party entity. The third-party was subject to a criminal attack, with data being exfiltrated.
“The safety and security of all NSW Health systems remains of highest importance and is continually monitored and safeguarded.”
Meanwhile, cyber experts Dr Mohiuddin Ahmed and Professor Paul Haskell-Dowland from Edith Cowan University, Perth, have provided tips for healthcare professionals on how to protect themselves against similar attacks [link here].