Cyber Incident Victim: Cabrini Health
Date:
Feb 2019
Location:
Australia
Summary
A cybercrime syndicate compromised approximately 15,000 patient medical records from a cardiology unit at Cabrini Hospital through a ransomware attack, demanding cryptocurrency payment to restore access. The malware, suspected to originate from North Korea or Russia, corrupted data and disrupted operations for over three weeks, leading to lost files containing sensitive personal and medical information that posed identity theft risks. While a ransom was paid, some files remained irrecoverable, causing appointment record discrepancies and patient notifications of data loss. Commonwealth security agencies and federal police investigated the breach, with the hospital asserting no compromise to cardiac device functionality or broader patient privacy. The incident underscored systemic vulnerabilities in healthcare sector cybersecurity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2019, a cybercrime syndicate executed a ransomware attack targeting Melbourne Heart Group, a cardiology unit operating within Cabrini Hospital in Malvern, Victoria. The attackers deployed malware—suspected by investigators to originate from North Korea or Russia—to penetrate the unit’s security network, encrypting approximately 15,000 patient medical files and rendering them inaccessible. The incident crippled the hospital’s server for over three weeks, disrupting clinical operations and corrupting sensitive data. Attackers demanded a ransom payment in cryptocurrency in exchange for a decryption key to restore access. While the hospital confirmed a payment was made, a portion of the scrambled files—including patients’ personal details and medical records—remained unrecoverable, creating risks of identity theft. Some patients arrived for appointments with no corresponding records, while others were notified of data loss without detailed explanations. The Australian Cyber Security Centre provided incident response support, and the Australian Federal Police initiated a joint investigation with Commonwealth security agencies into the breach’s origins.
The attack compromised specialized cardiology records but did not affect cardiac implantable device functionality, according to Melbourne Heart Group’s spokesperson, who asserted no patient privacy violations occurred despite the data corruption. The incident coincided with revelations of state-sponsored cyber intrusions targeting Australian political entities, amplifying calls for strengthened national cybersecurity measures, particularly in email security. Cybersecurity experts attributed the breach to likely phishing tactics, where an employee may have inadvertently activated ransomware via a malicious link or attachment. The event echoed prior healthcare-sector ransomware incidents, including the 2017 WannaCry attacks that disrupted the UK’s National Health Service and the 2016 Hollywood Presbyterian Hospital breach that resulted in a bitcoin ransom payment. Cabrini Hospital’s inability to fully restore files highlighted persistent vulnerabilities in medical data protection and recovery protocols amid escalating threats to critical infrastructure sectors.