Global private equity giant TPG’s Australian pathology business, TissuPath, has suffered a data breach with a decade’s worth of patient request forms being released on the dark web.
TissuPath confirmed on Wednesday that no pathology testing information or billing details had been exposed, but admitted patient request forms from 2011 to 2020 had been released by the Russian cyber gang BlackCat, also known as ALPHV.
ALPHV’s dark web data dump.
ALPHV posted an announcement on its site that read: “FULL LEAK. Enjoy!” It claimed 446 gigabytes had been released, comprising more than 735,000 files. “Data dump contains Medical Records of your clients. We believe your clients will be very unhappy, and your silence will ruin your reputation,” it posted.
The leaked files include clinical notes which outline a patient’s simple health history, such as evidence of undergoing a hysterectomy procedure or treatment for cancer, and potentially, current ailments.
TissuPath is believed to have been hit via one of its suppliers – IT firm Core Desktop – in what is known as a supply-chain attack, when hackers compromise the networks of a service provider. ALPHV is claiming it has hacked several of the Melbourne-based firm’s other clients, including real estate agency Barry Plant.
TissuPath on August 27 alerted patients about the breach.
A TissuPath spokesman said the company is “investigating a data breach at a third-party IT supplier”, and that the group had received a ransomware notice which was reported immediately to authorities. TPG declined to comment.
“Exposed data includes scanned pathology request forms with information that includes patient names, dates of birth, contact details, Medicare numbers, and private health insurance
Read more on afr.com