St Vincent’s Health falls victim to cyberattack

St Vincent’s Health says it has sustained a cyberattack and hackers have stolen data from its network, with the hospital and aged care provider urgently investigating the incident.

St Vincent’s, which is the nation’s largest not-for-profit health and aged care provider, said it discovered the attack on Tuesday and an investigation into what data has been stolen remained ongoing. It is unclear if the hack involved patients’ data.

St Vincent’s is the nation’s largest not-for-profit health and aged care provider.Credit: SMH

“On Tuesday, 19 December 2023, St Vincent’s Health Australia began responding to a cybersecurity incident,” a spokesman for St Vincent’s said in a statement.

“St Vincent’s immediately took steps to contain the incident, engaged external security experts, and notified all relevant state and federal governments and the necessary agencies.

“Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network.

“St Vincent’s is working to determine what data has been removed.”

The spokesman said an investigation was ongoing, and the company was working to secure its systems, understand what the cyber criminals had done, and identify what data may have been accessed and stolen.

St Vincent’s operates hospitals across NSW, Victoria and Queensland, including three public and 10 private hospitals and 26 aged care facilities. It employs close to 30,000 staff nationally.

“To date, this incident has not affected the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks,” the spokesman said.

“Our priority is the health and safety of our patients, residents, and our people, and the continuity of St Vincent’s services for the community.

“We thank the Australian government and our state government partners for their support since first notifying them of the incident.”

Cybersecurity Minister Clare O’Neil was contacted for comment. A source close to St Vincent’s said that federal and state governments had been briefed daily since the attack was discovered on Tuesday, and that the Australian Cyber Security Centre had been notified of the incident.

The Australian Signals Directorate’s Australian Cyber Security Centre said it was aware of a cyber incident and was working closely with St Vincent’s Health Australia.

Specific inquiries related to this incident should be directed to St Vincent’s Health Australia, it said, adding that Australians are reminded to report cybersecurity incidents at www.cyber.gov.au/report, or to call the Australian Cyber Security Centre Hotline on 1300 CYBER1 (1300 292 371).

The attack is the latest data breach to hit a major Australian company, with Optus and Medibank suffering cyber incidents in late 2022, while major ports operator DP World Australia shut down its terminals last month after a major cybersecurity attack.

The federal government has said that after a recent surge in attacks it would beef up the nation’s cyber defences as part of a new seven-year strategy, including health checks for small businesses, an increase in cyber law enforcement funding, and the introduction of mandatory reporting of ransomware attacks.

“We cannot continue as we have,” O’Neil said last month.

“We can’t have a situation where we have data flying around the country, where we have critical infrastructure starting to fail, where we have small business and citizens who are continually telling us they feel vulnerable and unable to cope with the cyber threats themselves.”

Meanwhile, reports of cybercrime climbed by 23 per cent to more than 94,000 in the financial year to June, the Australian Cyber Security Centre said in its most recent annual threat report.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.