Cyber Incident Victim: TissuPath Pathology

On 24 August 2023, TissuPath Pathology Pty Ltd experienced a significant cybersecurity incident. The breach was a supply chain attack that originated through one of the clinic's main third-party suppliers. A vulnerability within the supplier's remote access toolkit (RAT) led to the compromise of their IT systems and user accounts. These legitimate administrator accounts were then mimicked by threat actors to gain illegal entry into the TissuPath IT ecosystem. The attackers successfully accessed one of TissuPath's storage drives using these compromised, yet legitimate, user accounts. At 12:15 pm on the same day, representatives from TissuPath were directly contacted by a threat actor who issued an ultimatum. The threat actor stated they would upload TissuPath information onto the dark web after 48 hours if their demands were not met. TissuPath did not engage with the threat actor, and no further communications were received from them after this initial contact.

The data potentially obtained in this breach consisted of ten years worth of pathology referral letters, specifically those issued to TissuPath between 2011 and 2020. This data included scanned pathology request forms containing sensitive patient information. The types of information captured on these forms included patient first names, surnames, dates of birth, and gender. It also included patient addresses and mobile numbers if they were provided. Furthermore, the exposed data contained Medicare card numbers and private health insurance account numbers, again, if they were provided. The referral letters also contained information about the referring doctors, including their names, practicing addresses, Medicare provider numbers, and contact numbers if provided. Importantly, TissuPath confirmed that its main database and reporting system which stores patient diagnoses was not compromised in the attack. The company also emphasized that it does not store patient financial details, credit card information, or other personal identity documents such as driver's licence numbers.

Upon being informed of the attack on its IT ecosystem, TissuPath's Incident Response team moved quickly to identify the issue and contain the threat. The top priority was to secure user data and ensure other services were not affected. Some of the key actions taken included identifying the user accounts that were compromised or potentially compromised and immediately disabling their access to all systems. A password reset was enforced for these user accounts. The affected or potentially affected servers were disconnected during the ongoing investigations. The company activated its cybersecurity plan, and the team performed investigations to identify the indicators of compromise (IOCs). While access to the servers was successfully restored, all TissuPath users and systems were required to change their passwords as a precautionary measure. Additionally, TissuPath removed and blocked all third-party support access and accounts to prevent further unauthorized entry.

TissuPath promptly reported the security incident as a Notifiable Data Breach to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre (ACSC), which is part of the Australian Signals Directorate. The company is actively working with ACSC representatives, who continue to monitor the situation and provide technical advice and assistance. The national cybersecurity coordinator, Darren Goldie, acknowledged the government's awareness of the TissuPath data breach, as well as potential incidents affecting other organizations like Barry Plant and Strata Plan. Goldie stated that the National Cyber Security Coordinator is overseeing a whole-of-government response to the TissuPath incident due to its sensitivities. These three incidents were linked on a dark web site to the notorious ransomware gang ALPHV, though Goldie officially declined to attribute the attack.

The nature of the data involved heightens the severity of this incident. TissuPath Pathology specimens and referrals are for suspected cancer patients. Under the National Pathology Accreditation Advisory Council (NPAAC) guidance, such data is required to be retained for 20 years. This long retention period for highly sensitive medical information contributed to the scale of the potential exposure. Because TissuPath does not record or store contact email addresses for patients, the company sent a notification letter via post to all primary referring doctors on 25 August 2023, the day after the incident was discovered. This letter informed the doctors of the security incident. TissuPath is also in the process of directly contacting all affected individuals to notify them of the breach and the potential exposure of their personal information.

The breach was first reported by Cyber Security Connect, and TissuPath confirmed the timeline and details on its official website. The incident highlights the growing threat of supply chain attacks, where a vulnerability in a third-party supplier's systems can be exploited to gain access to the primary target's network. In this case, the compromise of the supplier's remote access toolkit was the initial attack vector that allowed the threat actors to mimic legitimate administrator accounts and move laterally into TissuPath's environment. The ALPHV group, which is linked to this incident, is the same notorious ransomware gang responsible for the hack of Australian law firm HWL Ebsworth in April of the same year. That attack also involved significant data exfiltration and threats to release information on the dark web.

TissuPath has provided specific guidance to individuals concerned about the exposure of their Medicare information. The company clarified that a copy of a Medicare card may have been exposed, which contains more identifiable information than just the number. The easiest way to replace a Medicare card is by using a Medicare online account through myGov. Services Australia has published information on steps individuals can take to protect their personal information after a data breach. Importantly, TissuPath noted that a Medicare card number by itself, without the physical copy, cannot be used as proof of identity and cannot be used to access an individual's Medicare account details. For concerns regarding Services Australia accounts, individuals were directed to contact the Scams and Identity Theft Helpdesk.

The company has established dedicated contact channels for those affected by the breach. Patients and doctors with queries or requiring clarification were advised to contact TissuPath Pathology Pty Ltd at its physical address in Mount Waverley, Victoria, via telephone, or through a dedicated email address for privacy concerns. The response underscores the challenges healthcare providers face in securing vast amounts of legacy patient data required to be stored for long periods under regulatory guidelines. It also demonstrates the coordinated response between a private entity and government cybersecurity agencies to manage the fallout from a significant data breach and mitigate potential harm to affected individuals. The incident remains under investigation with the assistance of cybersecurity experts, and TissuPath continues to work with authorities to address the situation.