Cyber Incident Victim: Datatime
Date:
Nov 2022
Location:
Australia
Summary
A cyber attack targeting Datatime, a contractor processing medical surveys for a major Australian skin cancer study, compromised sensitive personal data including names, addresses, Medicare numbers, and potentially medical survey responses from over 1,000 participants. Hackers infiltrated servers holding the information before scheduled deletion, temporarily locking the company out of its systems and exfiltrating data samples. The affected research institute notified impacted individuals privately but faced criticism for not publicly disclosing the breach while continuing recruitment for other studies. Participants reported significant distress over potential exposure of highly personal health details, including mental health status and medication histories. The incident highlighted gaps in breach disclosure laws, as organizations face no legal obligation to announce such events publicly despite potential risks to individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2022, cyber attackers breached servers operated by Datatime, a technology company contracted by QIMR Berghofer Medical Research Institute to process survey data for its QSKIN skin cancer study. The hackers locked Datatime out of its systems and exfiltrated sensitive information before the company could delete the records as planned. The compromised data included names, addresses, Medicare numbers, and responses to personal medical surveys from 1,128 study participants. QIMR Berghofer confirmed the breach after being contacted by media but had not publicly disclosed it prior, continuing to recruit participants for other studies without informing them of the security incident. Datatime’s parent company, PNORS Technology Group, asserted that forensic investigations found no evidence of data being released publicly, though QIMR Berghofer’s principal investigator acknowledged in participant communications that survey responses might have been accessed. The institute notified affected individuals via email in November 2022 following recommendations from Queensland’s privacy regulator but declined to confirm whether it had experienced other unreported breaches or explain its lack of public disclosure.
The breach exposed highly sensitive health information, including participants’ medical histories, mental health status, marital status, menstrual cycles, and prescription records linked to Medicare identifiers. Impacted individuals reported significant distress, with one participant describing sleep disruption and feelings of vulnerability due to uncertainty about how the stolen data might be used. Multiple respondents expressed anger upon receiving new study recruitment requests from QIMR Berghofer without prior acknowledgment of the breach, perceiving this as a breach of trust. An 81-year-old participant criticized the institute’s failure to safeguard data or issue a public apology, stating the incident violated her expectations of confidentiality. Legal experts highlighted that Australian law did not mandate public disclosure of such breaches, creating gaps in accountability. QIMR Berghofer stated it would enhance contractor vetting processes following the incident, while Datatime maintained no further contact occurred with the attackers after the initial compromise.