TissuPath’s data breach notice provides details about how they were attacked and their incident response

Posted on by Dissent

Mirage reports:

TissuPath, a specialist pathology firm in Australia, has experienced a data breach due to a cyber security incident. The breach involved a third-party supplier attack, accessing pathology referral records kept in a backup storage drive.

Read more at Mirage News.

TissuPath has posted a security notice on its website that begins with an explanation that is somewhat admirable for its details:

On 24 August 2023, TissuPath Pathology Pty Ltd (TissuPath) had a cybersecurity incident caused by a supply chain attack via one of its main 3rd party suppliers. One of its storage drives was illegally accessed by legitimate accounts which had been compromised. The data potentially obtained by the threat actors is from pathology referrals issued to TissuPath between 2011 and 2020.

Our investigations have uncovered that the threat actor’s illegal entry was gained via a 3rd party supplier. The supplier’s IT systems and user accounts were compromised due to a vulnerability on their remote access toolkit (RAT). These legitimate administrator accounts were mimicked to gain access into TissuPath IT ecosystem.

The types of information captured and stored by the lab systems are as follows:

  • Patient First Name
  • Patient Surname
  • Patient Date of Birth
  • Patient Gender
  • Patient Address (if provided)
  • Patient Mobile Number (if provided)
  • Patient Medicare Card Number (if provided)
  • Patient Private Health Insurance Account Number (if provided)
  • Doctor Name
  • Doctor Practicing Address
  • Doctor Medicare Provider Number
  • Doctor Contact Number (if provided)

Read more of their security notice. The notice reveals that they were contacted by a threat actor who made a ransom demand, but states that they have not had any contact with the threat actor. They do not name either the third party supplier or which threat actor group, but on September 2, the AlphV (BlackCat) group claimed responsibility for the attack and added TissuPath to its leak site. On September 5, AlphV updated their listing by leaking what they claim is all the data:

P.S. 446 GB and 735,414 files has been exfiltrated. We’ve download all the data you have. Data dump contains Medical Records of your clients. We believe your clients will be very unhappy, and your silence will ruin your reputation.

TissuPath has also published a media notice.

Category: HackHealth DataNon-U.S.