Cyber Incident Victim: Crown Princess Mary Cancer Centre

On or around May 1, 2023, the Crown Princess Mary Cancer Centre, a major cancer treatment facility part of Westmead Hospital located 26 kilometers west of Sydney, became the target of a cyber attack. The incident involved the hacker group known as Medusa, which claimed responsibility for the attack. NSW Health officials were formally alerted to the ransomware threat late on the afternoon of Thursday, May 4, 2023, initiating their investigation into the event. The group Medusa employed a methodology consistent with its known operations, utilizing ransomware to first steal data from the victim organization before proceeding to encrypt that data. Following the encryption, the hackers then issued a threat to publish the stolen information publicly unless a ransom bounty was paid to them.

The attackers publicly listed the Crown Princess Mary Cancer Centre on their dedicated leak site, which they referred to as the Medusa blog. This listing was accompanied by a countdown timer, indicating approximately seven days remained before the threatened data release would occur. Screenshots of this leak site listing began circulating on the social media platform Twitter, where they were identified and picked up by cyber threat analyst Brett Callow. This public shaming and extortion tactic is a hallmark of the Medusa group's operations, designed to apply pressure on the victim organization by creating a public spectacle and threatening severe reputational damage.

According to official statements from an NSW Health spokesperson, the initial investigation indicated that the attack did not appear to have impacted any NSW Health databases, nor the specific databases belonging to the Crown Princess Mary Cancer Centre itself. The official statement emphasized that the safety and security of all NSW Health systems remained of the highest priority and that these systems are continually monitored and safeguarded. NSW Health also stated it works closely with state and federal government cyber security agencies to ensure that any cyber event is prevented, detected, and responded to in the most appropriate manner possible.

The Medusa group was identified by cybersecurity firm CyberCX as posing a high threat to organizations. Analysts from the firm reported that Medusa had been the second-most active cyber extortion group in the Pacific region since the start of January 2023, having been actively targeting organizations in Australia and New Zealand during that period. Analysts further assessed that the group, while likely small in size, was experienced in its operations. The group had previously gained notoriety for its attack on Minneapolis Public Schools in the United States in March of the same year. In that incident, after the school district refused to pay a one million US dollar ransom, the group followed through on its threat and posted gigabytes of what it claimed was highly sensitive information, including allegations of sexual abuse.

The Crown Princess Mary Cancer Centre is a significant component of the Sydney West Cancer Network. Its function is to provide fully integrated research, prevention, diagnostic, treatment, and rehabilitation programs for patients and their families who are coping with cancer. The potential compromise of data related to such sensitive patient care operations represents a serious threat to patient privacy and the operational integrity of a critical healthcare provider. The nature of the data allegedly stolen was not detailed in the immediate aftermath of the attack, but the very threat of its release creates significant concern for patient confidentiality.

The response actions taken by NSW Health involved an immediate and ongoing investigation into the issue upon being alerted. The primary public response was through official statements that sought to reassure the public and stakeholders that core database systems had not been breached while simultaneously acknowledging the ongoing investigation into the threat. The engagement with state and federal government cybersecurity agencies was cited as a key component of their response strategy, indicating a coordinated effort to assess the scope of the incident and determine an appropriate course of action.

The incident represents a case where a ransomware group exfiltrates data and uses the threat of its publication as the primary lever for extortion, rather than solely relying on encrypting systems and disrupting operations to force payment. The countdown timer on the Medusa blog site created a defined timeframe for the organization to respond before the threatened release of data, a common pressure tactic in such cyber extortion schemes. The public listing of the cancer centre on this site served to amplify the pressure beyond the victim organization to the public domain, engaging media attention and potentially causing alarm among patients and staff.

The impacts of such an incident extend beyond the immediate technical intrusion. For a healthcare provider specializing in cancer treatment, the potential erosion of patient trust is a significant consequence, even if the actual data breach is ultimately found to be limited. Patients entrust highly sensitive personal and medical information to such institutions, and any event that threatens the security of that data can have a profound effect on the patient-provider relationship. The operational impact, while reportedly not affecting databases directly, likely required the diversion of significant internal resources to investigate the claim, assess systems, and manage the public response.

The broader context of the attack places it within a pattern of increasing targeting of healthcare institutions by cybercriminal groups. These organizations are often seen as lucrative targets due to the critical nature of their services and the sensitivity of the data they hold, which can make them more likely to consider paying a ransom to avoid operational disruption and public exposure of private information. The targeting of a cancer centre specifically highlights the particularly sensitive nature of the data involved and the potential for severe harm if such data is released indiscriminately.

The investigation by NSW Health and its partner agencies would have focused on verifying the claims made by the Medusa group, including determining what specific data, if any, was actually exfiltrated from their networks. This process involves forensic analysis to identify any gaps in security postures and to understand the initial attack vector used by the threat actors to gain access. Containing the incident involves ensuring that any access points used by the attackers are identified and secured to prevent further unauthorized access or data exfiltration.

The official statements from NSW Health maintained a consistent message that their systems were not impacted, suggesting a containment of the technical breach, but the extortion threat related to the stolen data remained an active concern as long as the countdown timer on the leak site was active. The ultimate outcome of the threat, whether the data was released or the ransom was paid, was not disclosed in the immediate reporting of the incident. The focus of the public reporting was on the initial detection, the claims of the threat actor, the response actions initiated by the health authority, and the potential implications for the affected cancer centre and its patients. The incident underscored the ongoing challenges faced by critical infrastructure, particularly in the healthcare sector, in defending against and responding to sophisticated cyber extortion campaigns.