Monash Health has been caught up in an attack on a third-party company it engaged to scan and archive documents from family violence and sexual assault support cases over a 23-year period.
Image credit: Monash Health.
The health services provider said it was exposed to a breach of Victoria-based ZircoDATA that it “used to scan archived historical documents.”
The company was reported to have a ransomware infection in February.
“Investigation analysis indicates that the Monash Health information involved in the ZircoDATA data breach relates to a selection of archived data from the family violence and sexual assault support units at Monash Medical Centre, the Queen Victoria Hospital, and Southern Health, limited to the period from 1970 to 1993,” Monash Health chief Eugine Yafele said.
“Due to the historical nature of the data, anyone who believes they may be impacted by the breach should contact Monash’s dedicated hotline [1800 491 663].”
Yafele said the health services provider was “deeply disappointed to be in this position.”
“Our team is working tirelessly and diligently to verify those who are impacted and understand what data was compromised,” he said.
The federal government’s national cyber security coordinator Lieutenant General Michelle McGuinness said Monash Health’s exposure to the incident is “a distressing development.”
“In particular, I want to acknowledge the impact this news will have on affected victim-survivors who had been supported by Monash Health’s services,” McGuinness wrote on LinkedIn.
McGuinness said the National Office of Cyber Security has been “assisting ZircoDATA in ascertaining the full extent of the compromise and supporting both the organisation and its affected government clients to identify impacted victims and to meet their obligations to notify them” since mid-March.
“Assessing the full extent of the breach is a time-consuming process and ZircoDATA is still trying to determine the full list of affected persons and organisations,” McGuinness wrote.
“Disclosures occur once there is certainty around the information affected, the safety of victims, and readiness of support services.”
Melbourne Polytechnic also impacted
About 60,000 “past and present students” of Melbourne Polytechnic are also impacted.
The institution said ZircoDATA had held “student enrolment data”, though it is said to be “limited to ‘low risk identity attributes’ – student’s full names, student identification numbers, dates of birth and physical addresses at the time of enrolment.”
Government exposure “minimal”
McGuinness warned that multiple “government entities” are also impacted by the breach but added that “the impact for most … is likely to be minimal.”
“The majority of these entities are still in the process of working with ZircoDATA to identify impacted data and any victims, and are yet to begin notifying impacted individuals,” McGuinness wrote.
“There are clear processes for ZircoDATA and the affected government entities to work through.”
The Office of the Victorian Information Commissioner (OVIC) said that affected bodies in the state should notify it.
