What to Say in a Cyber-Attack: Melbourne Heart Group Case Study
By Georgia Comensoli and James Fitzpatrick
Fifteen thousand patients at Cabrini Hospital’s Melbourne Heart Group faced the nightmare scenario of a cyberattack on their health records.
As details of the hack hit the press, including suggestions that a ransom had been paid, Melbourne Heart Group handled the sensitivities of a cyberattack, the media pressure of a hot button topic and the necessity of social media with varying levels of success.
The Age recently broke the story that 15,000 patient files had been scrambled and encrypted as part of an overseas hack on the Melbourne Heart Group. The hack had happened three weeks prior to the story breaking.
Users were met with; a message saying that their patients’ files had been encrypted; a demand for a ransom using cryptocurrency; and a warning that attempting to access their files could result in the permanent loss of data or a higher ransom. Amongst the files were sensitive medical information on patients both present and historical, as well as scheduling information.
The hack apparently had the hallmarks of an advanced malware attack from North Korea or Russia. The Age ‘understands’ a ransom has been paid.
What’s remains unclear is how many files were recovered, with some reports suggesting current patients had arrived from appointments that were completely wiped from the system.
Melbourne Heart posted an awkwardly placed statement on their website.
Melbourne Heart Group failed to post the statement to their Facebook page, which has a single post from 2014. It has no Twitter account.
Meanwhile, Cabrini Hospital put out a tweet saying the cyberattack was entirely confined to Melbourne Heart Group. The hospital also set the tone by describing Melbourne Heart as, “a group of specialists who lease rooms at Cabrini Malvern”.
The most obvious question is about whether Melbourne Heart Group made a mistake keeping the story quiet for three weeks? If you break the story yourself, you can frame the narrative and your company can appear proactive. If the story is broken on you, you look defensive.
However, Crisis Shield is hesitant to jump to conclusions. If a ransom has been paid, there could be tactical reasons for the radio silence. As their statement says, “the health and wellbeing of our patients is always our primary concern”. If keeping quiet serves that end, then that’s appropriate.
But there are a number of other things Melbourne Heart Group should have done to get a better result.
Health organisations are the frequent subject of these kind of attacks, thanks to the sensitive nature of the information. As such, these organisations tend to be more familiar with standard practice for cyberattacks involving private information.
The first is to immediately contact the people impacted. Not only is it the right thing to do by your stakeholders, you're now legally obliged to; in early 2017 the Australian Senate passed a privacy amendment bill which mandates that businesses, government agencies, non-for-profits and individuals are now required by law to notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals (consumers, customers, staff etc.) of any data breach. You can read more information about this scheme on the OAIC's website.
Second, Melbourne Heart Group’s social media presence is very limited. You can repost website statements on your social media pages to give yourself the best chance of your stakeholders seeing the message. Having social media accounts with regular content is the ideal situation, because your audience is engaged and trained to expect a message. At the very least you should have Facebook and Twitter.
Third, while the company gave assurances that no patient’s privacy had been violated, were their medical records backed up? Was their care compromised?
A security journalist reported it two days after the news broke that patient data was backed up, that it was being restored, but it was taking time.
This is essential information to get out to all stakeholders. People cannot be allowed to think that there could be a patient whose health is at risk because their data is lost.