Cybersecurity Incident Notice
On 24 August 2023, TissuPath Pathology Pty Ltd (TissuPath) had a cybersecurity incident caused by a supply chain attack via one of its main 3rd party suppliers. One of its storage drives was illegally accessed by legitimate accounts which had been compromised. The data potentially obtained by the threat actors is from pathology referrals issued to TissuPath between 2011 and 2020.
Our investigations have uncovered that the threat actor’s illegal entry was gained via a 3rd party supplier. The supplier’s IT systems and user accounts were compromised due to a vulnerability on their remote access toolkit (RAT). These legitimate administrator accounts were mimicked to gain access into TissuPath IT ecosystem.
Upon being informed of an attack on the TissuPath IT ecosystem, our Incident Response team quickly identified the issue and moved to respond to the attack. The top priority was to contain the threat posed by the threat actor who had remote access to the systems by ensuring that the user data was secure and other services were not affected.
Some of the key actions we took, and continue to take are as follows:
- We identified the user accounts that were compromised or potentially compromised and disabled the access to all systems. We enforced a password reset for these user accounts.
- We disconnected the affected or potentially affected servers during the investigations.
- Our cybersecurity plan was activated, and our team performed investigations to identify the indicators of compromise (IOCs).
- While successfully restoring access to the servers, we required all TissuPath users and systems to change their passwords.
- We have removed/blocked all 3rd party support access and accounts.
As TissuPath does not record or store contact email addresses, TissuPath had on 25 August 2023 sent a notification letter to all primary referring doctors informing them of the security incident.
The threat actor illegally accessed a TissuPath backup storage drive via a legitimate 3rd party user account which in turn had been compromised.
At 12:15 pm on 24th August 2023, TissuPath representatives were contacted by a threat actor who issued a threat to upload TissuPath information (as detailed below) onto the Dark Web after 48 hours if their demands were not met. TissuPath promptly reported the security incident as a Notifiable Data Breach to the Office of the Australian Information Commissioner and Australian Cyber Security Centre. TissuPath is now actively working with the Australian Cyber Security Centre representatives.
Of note, no contact has been made with the threat actor and there has not been any further communications by the threat actor to TissuPath.
Information stored by TissuPath
The TissuPath Pathology specimens and referrals are for suspected cancer patients. Such data is retained for 20 years and reported as per National Pathology Accreditation Advisory Council (NPAAC) specifications (https://www.safetyandquality.gov.au/publications-and-resources/resource-library/requirements-retention-laboratory-records-and-diagnostic-material)
The types of information captured and stored by the lab systems are as follows:
- Patient First Name
- Patient Surname
- Patient Date of Birth
- Patient Gender
- Patient Address (if provided)
- Patient Mobile Number (if provided)
- Patient Medicare Card Number (if provided)
- Patient Private Health Insurance Account Number (if provided)
- Doctor Name
- Doctor Practicing Address
- Doctor Medicare Provider Number
- Doctor Contact Number (if provided)
No financial information is captured and/or stored within any of the TissuPath systems.
Please see below practical recommendations individuals should take in response to the data breach:
- Look out for any suspicious activity across all online accounts.
- Report any suspicious activities or transactions in your bank account immediately to your financial institution.
- Do not click on any links in any email or SMS claiming to be from TissuPath.
- If someone calls claiming to be a representative of TissuPath and:
- Offers help on the reported data breach, such person is highly likely to be a scammer who is trying to obtain further personal information, so please consider hanging up and do not provide any personal information; and/or
- Requests access to your computer, say NO and hang up.
- Do not click on any links that look suspicious and never provide passwords or any personal or financial information.
- Other resources which you may refer to for reference or assistance:
Important Medicare Information
Medicare card copy
A Medicare card copy belonging to you may have been exposed during the cyber incident.
If you’re concerned or you’ve been affected, the easiest way to replace your Medicare card is by using your Medicare online account through myGov.
The Services Australia website contains helpful information about the steps you can take to replace your card:
If you are concerned about the security of your Medicare, Centrelink and myGov accounts, you can contact the Scams and Identity Theft Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).
Medicare Card Number (number only, not card copy)
A Medicare card number belonging to you (not a copy of your Medicare card) may have been exposed during the cyber incident.
People can’t access your Medicare details or Medicare account with just your Medicare card number. To reassure you, unlike a scan or copy of a Medicare card, a Medicare card number by itself cannot be used as a proof of identity.
If you are concerned about the security of your Services Australia accounts, you can contact the Scams and Identity Theft Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).
Please do not hesitate to contact us if you have any queries or require any clarification at the following contact details:
TissuPath Pathology Pty Ltd
32 Ricketts Road, Mount Waverley VIC 3149, Australia
T: (03) 9543 6111