UnitingCare Queensland cyber-attack

On Sunday 25th April 2021, health and aged care provider UnitingCare Queensland experienced a cyber-attack to their network, causing loss of access to the national My Health Record system across their hospitals and aged care facilities. Based on previous attacks and the nature of the information to which UnitingCare has access, it is believed that the hackers were trying to access personal patient information and records to either destroy or use to blackmail targeted individuals. The attack also caused significant disruptions across internal patient systems as well as telephones, emails, Wi-Fi – even the photocopier machines.

Shortly after the breach had been identified, UnitingCare Queensland published a media statement saying that they had engaged forensic support and notified the Australian Cyber Security Centre (ACSC) of the breach. The Australian Digital Health Agency (ADHA) also made a statement, stating that they had responded by blocking UnitingCare Queensland’s access to the national healthcare system as a precautionary measure, which is in line with its responsibilities as the system operator of the My Health Record system. The ADHA also scanned its national infrastructure to identify signs of the malware that affected UnitingCare Queensland.

The Office of the Australian Information Commissioner (OAIC) has consistently reported, since the beginning of the Notifiable Data Breaches (NDB) scheme in February 2018, that the highest reporting industry sector is the healthcare industry (23%), followed by finance (15%). Just 6 weeks earlier, Eastern Health in Victoria also suffered a similar cyber-attack to that of UnitingCare Queensland.

The latest NDB report for the period 1st July-31st December 2020 released by OAIC on 8th January 2021, notes that the kinds of personal information involved in the data breaches comprised 40% financial details, 26% health information and 18% tax file numbers. With regards to the sources of data breaches in the healthcare sector, 57% were attributed to human error, 41% to malicious or criminal attacks and 2% to system failure.

ACSC, in their 2020 Health Sector Snapshot, highlighted the fact that the COVID-19 pandemic had experienced a rise in cyber-attacks on healthcare systems, warning that ransomware is ‘the most significant cybercrime threat to the Australian health sector.’ The healthcare sector is a particularly vulnerable target for cyber-attacks because 1) it holds sensitive personal information about individuals as well as technology and research data about the COVID-19 vaccine which can lead to greater ransom demands, and 2) the essential nature of health care services and public trust in them means there is significant pressure on health care organisations to immediately address and respond to breaches.

As with any cyber-attack on any system, the ACSC recommends that individuals and corporations:

• keep their software up to date;
• use multi-factor authentication; and
• store backups offline.

If you’re a business owner, the Australian Government’s ‘Support for businesses in Australia’ website also recently published a helpful guide on ‘How to protect your business from cyber threats which includes useful information on how to prevent a malicious cyber-attack.

If you would like to know more about how you can help your clients respond to cyberattacks, listen to Episode 16 of Hearsay the Legal Podcast with Reece Corbett-Wilkins from Clyde & Co.