The company, which has connections to fertility clinics in New South Wales, Queensland, Victoria, Tasmania, South Australia and the Northern Territory, told the ABC that experts were working to determine the extent of the infirltration.
The hack appears to have come to light when patients received phishing emails from scammers and contacted the ABC to complain.
Monash IVF Group has no media contact listed on its website.
|
|
The company's chief executive, Michael Knaap, claimed to the ABC that the patient database had not been touched.
But he said nothing about how patients had been sent emails by the scammer or scammers.
Knaap also claimed that the lack of definite information at this stage was because of the "the extremely complicated nature of these incidents".
But it was not pointed out to him that similar incidents happen all over the world every day and companies do react much faster in informing the public about them.
Commenting on the incident, Rob Dooley, country manager of data security firm Carbon Black A/NZ, said: "The breach on Monash IVF Group’s internal email servers only serves to highlight the vulnerability of Australia’s healthcare sector to cyber attacks. This sector has seen increased attacks over the course of the year from ransomware attacks on Barwon Health to the Melbourne Heart Group.
"Poor and inadequate security controls, outdated technology and the high quality of healthcare patient data are just some of the reasons why healthcare organisations have been hit so hard by security breaches.
"According to Carbon Black’s second Australian Threat Report, phishing attacks were the prime cause of these breaches according to 27% of Australian respondents who have had a cyber attack on their company, with phishing attacks having more than doubled in the last six months. Furthermore, 89% of Australian organisations reported that cyber attacks have grown more sophisticated.
"These results point to a need for Australia’s healthcare sector to adopt a comprehensive approach to cyber security, one that incorporates prediction, prevention, detection, and response to attempted attacks. Healthcare organisations need to make endpoint protection a top priority and be more pro-active about managing cyber risks so as to combat this crimewave.”
Mark Sinclair, ANZ regional director of WatchGuard Technologies, said: "This is an example of another security breach in the healthcare industry and backs up the data from the August OAIC Notifiable Data Breach Report that puts healthcare at the top of the industry list for reportable data breaches in Australia.
"The healthcare industry remains a top target for cyber criminals and companies need to be especially vigilant."
"It is a reminder of the value of personal data to criminals. A person’s name and email address may seem fairly innocuous on their own, but when coupled with a company, or in this case a specific form of medical treatment, it becomes a powerful weapon for those seeking to scam people online."
Alex Woerndle, principal adviser, Cyber Security – Risk & Governance at technology research and advisory firm Ecosystm, said: “Phishing, although not in the media as often as in the past, is still one of the most common sources of cyber-attacks.
"Situations like this often highlight a lack of readiness to deal with an incident. However, the response is equally as important as the incident itself. Ecosystm’s ongoing cyber security study shows that while 93% of Australian organisations have a breach notification process in place, only 28% continue to evolve the process.
"A strong and evolving communications strategy - both internally and externally - is crucial. Otherwise the media attention that arises from the breach gains its own steam and potentially makes the situation even worse for all concerned.”
