Mebourne based TissuPath Pathology impacted by third party data breach

The ALPHV ransomware group has targeted a Melbourne pathology firm TissuPath by exploiting login credentials from a third-party supplier.  In this breach, unauthorized access to one of TissuPath's storage drives occurred through compromised legitimate accounts. The potentially compromised data dates back to pathology referrals issued to TissuPath from 2011 to 2020.

The breach was initiated through a vulnerability discovered in the remote access toolkit (RAT) of the third-party supplier, leading to the compromise of their IT systems and user accounts. The threat actors then leveraged mimicked legitimate administrator accounts to gain entry into TissuPath's IT environment.

Upon learning of the attack on their IT systems, TissuPath's focused on containing the threat , limiting exposire and securng the remote access to their systems, ensuring data security, and preventing disruptions to other services.

The data exposed in the breach can include:

• first name,
• surname,
• sate of birth,
• gender,
• address,
• mobile number,
• Medicare card number,
• private health insurance account number,
• doctor information (name, practicing address, Medicare provider number, contact number)

The number of affected individuals is not disclosed, although ALPHV gang claims that they have stolen over 471GB of data.

ABC is reporting that the breach was related to a cyber security incident at IT company Core Desktop based in Victoria. It has seen a letter from the TissuPath, sent to its clients, informing them of the breach: “Our cyber forensic team do not have a firm understanding of the origins of the entry, but initial suggestions are that it was from a targeted client-side phishing attack which infiltrated our control systems, impersonated privileged accounts and encrypted some servers".

TissuPath stores pathology specimens and referrals related to suspected cancer patients for a duration of 20 years, following the specifications outlined by the National Pathology Accreditation Advisory Council (NPAAC).

TissuPath promptly notified all primary referring doctors of the security incident via a notification letter on August 25, 2023.

In response to the data breach, individuals are advised to monitor online accounts, report suspicious activities to financial institutions, avoid clicking on questionable email or SMS links, exercise caution with unsolicited calls claiming to be from TissuPath, decline unauthorized computer access requests, and refrain from sharing personal or financial information.