Cyber Incident Victim: Atherfield Medical & Skin Cancer Clinic

On or around June 29, 2023, the Atherfield Medical & Skin Cancer Clinic in Australia experienced a cyber incident involving an unauthorized third party accessing its network. The ransomware group known as Cyclops claimed responsibility for the attack on that date. Their public listing on a data leak site included a link to download files and screencaps as proof of their claims, which they had uploaded on June 29. An inspection of the data made available by the threat actors revealed a significant amount of personal and health information belonging to patients, as well as the personal banking details of doctors. A specific folder labeled ‘ECG Test Results’ contained subfolders for each year from 2020 to 2023. The filenames within these folders were formatted to include the patient’s first and last name and the date of their echocardiogram. These files were all password-protected PDFs. The disclosure of this information, including patient names, dates of service, and the specific type of medical test, constitutes a serious compromise of sensitive data.

The Clinic was not immediately aware of the incident, as no alert or notification was present on its website in the immediate aftermath. The practice manager, identified as Kaylene, was contacted via email on July 2 and July 3, 2023, by an independent security blog inquiring about the incident. In a response provided on July 3, Kaylene confirmed that the Clinic had recently experienced a cyber incident where an unauthorized third party accessed its network and exfiltrated data. The Clinic stated that upon discovery, it immediately engaged forensic specialists and cybersecurity experts to commence an investigation into the event. This investigation was described as ongoing at the time of the statement. Concurrently, steps were taken to further secure the Clinic's systems in response to the breach.

The threat actors publicly published some of the stolen data externally on July 1, 2023. This action by the attackers prompted the Clinic to prioritize the investigation of what specific data was exposed. The Clinic committed to notifying all individuals who may have been impacted by the incident and to providing them with steps they could take to protect their personal information. In its communication, the Clinic apologized for any inconvenience or distress caused by the incident and stated it was taking the matter very seriously. The exact scope of the breach, including the total number of individuals affected, was not determined or publicly revealed at the time of the initial confirmation.

Further details emerged from communications with the Cyclops group. A spokesperson for Cyclops, using the name “Booda,” informed an independent security blog that the attack on Atherfield Medical was conducted by an affiliate and not directly by the core Cyclops group. When questioned about the password protection observed on the individual ECG PDF files, the spokesperson stated on July 1 that they would reach out to the affiliate for clarification. However, no further information on this specific point was provided by the group prior to publication. It remained unclear whether the password protection on the files was originally applied by the Clinic as a security measure or if it was added by the attackers after the exfiltration.

The compromised data was extensive and highly sensitive. Beyond the ECG results, the leaked data included a wide array of personal and health information of patients. The inclusion of doctors' personal banking details raised additional concerns, particularly if those financial accounts remained in active use. The incident represents a confirmed breach of a healthcare entity in Australia, a country that has experienced a number of significant cyberattacks on its healthcare sector in recent years. The Clinic's response involved a coordinated effort with external cybersecurity and forensic professionals to understand the full extent of the intrusion and to implement enhanced security measures to prevent a recurrence. The process of individual notification and support for those affected was initiated as the primary response to the data being published online. The investigation continued to work towards determining the complete scope of the data accessed and stolen by the unauthorized party.