Melbourne Heart Group cyber-attack affects 15,000 patients

A ransomware attack at an Australian heart clinic has corrupted the medical records of 15,000 patients and disrupted systems for more than three weeks.

Staff at Melbourne Heart Group, based within Cabrini Hospital in Malvern, have been unable to access patient files after the attack corrupted data on its servers.

Local newspaper The Age reports that hackers demanded a ransom in exchange for a decryption key – an unknown sum that was reportedly paid by the hospital.

However, it appears that despite giving in to the attackers, many of the files are still inaccessible.

It is feared that the victims’ data could be used for identity theft.

According to reports, the attack has caused disruption to services. Staff have turned away patients who have turned up for appointments that were no longer on record.

The hospital has stressed that the cyber-attack hasn’t affected medical devices.

A spokesperson said: “The protection of personal patient information is of the utmost importance... patient privacy has not been compromised in this instance.”

The incident was reported on the same day that car manufacturer Toyota Australia revealed it had been the victim of an attempted cyber-attack.

A statement posted on the company’s website read that no employee or customer information is believed to have been accessed.

The statement read: “Toyota Australia can confirm it has been the victim of an attempted cyber attack.

“At this stage, we believe no private employee or customer data has been accessed.

“The threat is being managed by our IT department who is working closely with international cyber security experts to get systems up and running again.

“At this stage we have no further details about the origin of the attack.

“We apologise for any inconvenience caused and thank customers for their patience.”

This week also marked a year since Australia introduced new data breach notification laws.

Australia’s Notifiable Data Breach (NDB) scheme came into effect on February 22, 2018, ruling that companies must report breaches within one month if the consequences are likely to cause “serious harm”.

The definition of “serious harm” has been contested in the 12 months since the bill passed, leading security bods to call for changes to the policy’s wording.

Regardless, the law states that medium to large business and small firms that handle government contracts, credit reference, or health-related data, must comply or face fines of up to A$2.1million ($1.5m).

RELATED Australian cybersecurity industry reels over anti-encryption law