Patient Data Breached In Tissupath Pathology Third-party Hack
The ALPHV ransomware group has conducted an attack on a Melbourne-based pathology firm, gaining access to detailed patient records through the use of login credentials from a third-party supplier.
The incident came to light on August 24th when the threat actor contacted TissuPath, issuing a threat to publish patient information within 48 hours unless a ransom was paid. Subsequently, TissuPath launched an investigation, confirming the breach and implementing its cybersecurity protocols.
While the threat actor’s identity is not explicitly mentioned in TissuPath’s incident report, threat intelligence platform Falcon Feeds attributes the attack to ALPHV. It’s worth noting that the threat actor’s own TOR leak site is currently inaccessible.
The compromised patient data includes names, dates of birth, gender information, and contact details such as phone numbers and addresses (if provided by the patient). Additionally, Medicare and health insurance numbers, as well as details of the referring doctors for each patient, were also exposed.
TissuPath clarified that billing information was not impacted since it is not stored on the affected systems. However, the company has not disclosed the exact number of affected patients but did mention that the exposed data pertains to referrals made between 2011 and 2020.
In its incident report, TissuPath explained, “The TissuPath Pathology specimens and referrals are for suspected cancer patients. Such data is retained for 20 years and reported as per National Pathology Accreditation Advisory Council (NPAAC) specifications.”
The threat actor initially gained entry through a third-party supplier whose storage drives were accessed due to a vulnerability in their remote access toolkit (RAT). Using this point of entry, the actor managed to access admin accounts, which provided access to TissuPath’s network.
TissuPath’s response to the breach has been comprehensive. The company has reached out to the doctors whose patients were affected (as it doesn’t retain patient email addresses) and has initiated a password reset for all users while blocking third-party access to its network.
Furthermore, TissuPath promptly reported the security incident as a notifiable data breach to the Office of the Australian Information Commissioner and Australian Cyber Security Centre. The company is actively collaborating with representatives from the Australian Cyber Security Centre.
TissuPath has also provided a list of actions and advice for those impacted by the breach, including staying vigilant for potential scammers using the exposed data and monitoring online accounts for suspicious activity.
It’s noteworthy that ALPHV, also known as BlackCat, has seemingly intensified its targeting of Australian businesses recently. The group listed two other local victims on its leak site, including strata operators Strata Plan and real estate agent Barry Plant, both based in Victoria. However, the exposure for Barry Plant is reportedly limited to one branch office, according to Lisa Pennell, the CEO of Barry Plant.