(Reuters) — One of Australia’s biggest pathology providers said hackers stole medical data from thousands of patients, the country’s second such breach in two weeks, deepening fears about how companies collect sensitive customer information.
The disclosure on Thursday sent shares in Australian Clinical Labs Ltd. to its lowest level since listing last year, extending a wave of hacks that have rocked the nation’s biggest companies. A day earlier, leading health insurer Medibank Private Ltd. that criminals took data from all 4 million of its customers.
ACL said it first became aware of unauthorized access to the IT system of its pathology unit, Medlab, in February and was advised that no information was compromised. The government̵7;s cybersecurity agency notified it in June that its data had been posted on the dark web, a system of websites accessible only through certain browsers.
The company said it then hired forensic analysts to study the “complex and unstructured” trove of data found there, and learned that 223,000 patient data had been exposed, including medical and health records for about 18,000 people.
There was no ransom demand or evidence of data misuse, but “we recognize the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected,” ACL chief executive Melinda said McGrath in a statement.
Private equity firm Crescent Capital, which listed ACL in 2021 and holds 23% of its shares, declined to comment. Crescent sold 14.3% of the company in August, the stock market filing shows.
Outside of health care professionals, businesses in Australia have been reeling since Sept. 22, when the country’s second-largest telco, Singapore Telecommunications Ltd.-owned Optus, disclosed a breach of up to 10 million customer accounts, equivalent to 40% of the country’s population.
No. 1 grocery chain Woolworths Group Ltd. then revealed that the data of millions of customers using its bargain shopping site had been compromised. A host of smaller and unlisted companies have also made breach notifications, prompting lawyers to question the amount of data private companies are allowed to collect and for how long.