DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

TissuPath’s data breach notice provides details about how they were attacked and their incident response

Posted on September 21, 2023 by Dissent

Mirage reports:

TissuPath, a specialist pathology firm in Australia, has experienced a data breach due to a cyber security incident. The breach involved a third-party supplier attack, accessing pathology referral records kept in a backup storage drive.

Read more at Mirage News.

TissuPath has posted a security notice on its website that begins with an explanation that is somewhat admirable for its details:

On 24 August 2023, TissuPath Pathology Pty Ltd (TissuPath) had a cybersecurity incident caused by a supply chain attack via one of its main 3rd party suppliers. One of its storage drives was illegally accessed by legitimate accounts which had been compromised. The data potentially obtained by the threat actors is from pathology referrals issued to TissuPath between 2011 and 2020.

Our investigations have uncovered that the threat actor’s illegal entry was gained via a 3rd party supplier. The supplier’s IT systems and user accounts were compromised due to a vulnerability on their remote access toolkit (RAT). These legitimate administrator accounts were mimicked to gain access into TissuPath IT ecosystem.

The types of information captured and stored by the lab systems are as follows:

  • Patient First Name
  • Patient Surname
  • Patient Date of Birth
  • Patient Gender
  • Patient Address (if provided)
  • Patient Mobile Number (if provided)
  • Patient Medicare Card Number (if provided)
  • Patient Private Health Insurance Account Number (if provided)
  • Doctor Name
  • Doctor Practicing Address
  • Doctor Medicare Provider Number
  • Doctor Contact Number (if provided)

Read more of their security notice. The notice reveals that they were contacted by a threat actor who made a ransom demand, but states that they have not had any contact with the threat actor. They do not name either the third party supplier or which threat actor group, but on September 2, the AlphV (BlackCat) group claimed responsibility for the attack and added TissuPath to its leak site. On September 5, AlphV updated their listing by leaking what they claim is all the data:

P.S. 446 GB and 735,414 files has been exfiltrated. We’ve download all the data you have. Data dump contains Medical Records of your clients. We believe your clients will be very unhappy, and your silence will ruin your reputation.

TissuPath has also published a media notice.

Category: HackHealth DataNon-U.S.

Post navigation

← HK: Hacking of Cyberport sparks discussions of law on cyber security
Air Canada says unauthorized group breached employee data, hacked internal system →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.