Medlab Pathology discloses February data breach

Medlab Pathology has disclosed a February data breach affecting 223,000 individuals, mostly in NSW and Queensland.

Its ASX-listed owners, Australian Clinical Labs (ACL), said [pdf] that Medlab "became aware of an unauthorised third-party access to its IT system in February 2022."

ACL said it "immediately coordinated a forensic investigation led by independent external cyber experts" into the incident but "did not find any evidence that information had been compromised.”

The Australian Cyber Security Centre (ACSC) learned of the incident - said to be ransomware - in March, and in June alerted ACL to the appearance of a "highly complex and unstructured" Medlab dataset appearing on the dark web.

ACL said it had "taken the forensic analysts and experts until now" - four months later - "to determine the individuals and the nature of their information involved."

The company said it had kept the ACSC "abreast of the progress" and had since also notified the Office of the Australian Information Commissioner (OAIC).

According to ACL, the breached records of most concern include 17,539 records associated with a pathology test; 28,286 credit card numbers with individuals’ names (around 15,700 have expired numbers, but 3375 of the records included CVV code); and 128,608 Medicare card numbers with the individuals’ name.

ACL said it is in the process of directly contacting those individuals impacted.

Medlab Pathology claims on its website to be "one of Australia’s largest, privately owned independent pathology practices."

The company's website lists hundreds of collection centres for pathology results.