Cyber Incident Victim: Eastern Health
Date:
Mar 2021
Location:
Australia
Summary
A cyber incident affecting a healthcare provider in Melbourne prompted precautionary system shutdowns, leading to the cancellation of non-urgent elective surgeries while emergency procedures remained unaffected. The organization took multiple IT systems offline to investigate and resolve the issue, explicitly stating patient safety was not compromised. Operational disruptions primarily impacted Category 2 and 3 elective surgeries across several hospitals and facilities under the provider's management.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 17, 2021, Eastern Health, a healthcare network managing multiple facilities including Angliss, Box Hill, Healesville, and Maroondah hospitals in Melbourne, experienced a cyber incident that disrupted operations. The organization detected anomalous activity late on Tuesday, March 16, prompting precautionary measures to isolate affected systems. Eastern Health proactively took numerous IT systems offline to contain the incident and prevent potential escalation, stating this action was necessary while they worked to investigate and resolve the situation. This network disruption directly impacted clinical operations, particularly elective surgery schedules across their facilities. While Category 1 (urgent) elective surgeries proceeded as planned, Eastern Health canceled less critical Category 2 and 3 elective procedures due to compromised operational capacity. The organization publicly confirmed patient safety remained uncompromised throughout the incident but did not disclose technical specifics regarding the attack vector, threat actor, or initial intrusion method.
The incident occurred against a backdrop of heightened cybersecurity vulnerabilities in Australia's healthcare sector, which consistently reported the highest number of data breach notifications under the country's Notifiable Data Breaches scheme. At the time of the incident, health organizations accounted for 123 of 519 total breach notifications filed between July and December 2020. Eastern Health did not immediately confirm whether patient data was exfiltrated or if the event constituted a notifiable data breach under Australian regulations. Their public communications focused exclusively on operational impacts and containment measures, omitting details about forensic investigations, potential data compromise, or recovery timelines. The disruption demonstrated healthcare infrastructure's critical dependence on IT systems, where even precautionary shutdowns significantly degrade service delivery capacity for non-emergency care.