Cyber Incident Victim: Apunipima Cape York Health Council
Date:
Oct 2022
Location:
Australia
Summary
A cyber-security incident at Apunipima Cape York Health Council involved unauthorized third-party access to its IT systems, with potential data exfiltration from corporate file servers, though forensic investigations confirmed no compromise of medical records or email systems. The organization detected a deep web post claiming responsibility but found no evidence of published data. Service continuity was maintained through manual processes, causing minor operational delays. Authorities including the Australian Cyber Security Centre and law enforcement were notified, and additional security controls were implemented post-incident. While analysis of potentially accessed corporate data was ongoing, the organization collaborated with IDCARE to provide support if personal information was affected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Apunipima Cape York Health Council, an Aboriginal Community Controlled Health Organisation, detected a cybersecurity incident around October 1, 2022, involving unauthorized third-party access to its IT environment. The organisation became aware of a deep web post by an unidentified actor claiming responsibility for the breach, which allegedly involved possible data exfiltration. Apunipima immediately engaged external cybersecurity and forensic IT experts to contain the incident, secure systems, and initiate an investigation. Core systems were taken offline as a precaution, forcing the organisation to implement manual business continuity processes to maintain essential health services across Cape York communities. While manual processes proved operational, they resulted in service delivery delays affecting some patients and clients. Apunipima promptly notified the Australian Cyber Security Centre (ACSC), Office of the Australian Information Commissioner (OAIC), and law enforcement agencies, maintaining ongoing liaison throughout the response.
The forensic investigation concluded by December 8, 2022, confirming no evidence of unauthorized access to medical records or email systems. However, analysis revealed potential compromise of limited corporate file servers, with further review required to determine if personal information was affected. Apunipima committed to notifying individuals and regulators should the review identify compromised personal data, with findings expected in early 2023. Throughout the incident, deep web monitoring showed no publication of stolen Apunipima data. The organisation implemented enhanced cybersecurity controls based on advisory recommendations to prevent recurrence. Service restoration progressed gradually, transitioning from manual operations back to automated systems. Apunipima coordinated with Queensland Health and IDCARE to provide community support, while maintaining health service continuity despite operational disruptions caused by the sustained systems outage.