Skin cancer survey hack may have 'compromised' personal details, Medicare numbers of participants - ABC News
Skin cancer survey hack may have 'compromised' personal details, Medicare numbers of participants
By national technology reporter Danny Tran
Posted Sun 19 Mar 2023 at 6:40pmSunday 19 Mar 2023 at 6:40pm, updated Mon 20 Mar 2023 at 12:25amMonday 20 Mar 2023 at 12:25am
Paul Woodbridge looks unhappily at a letter from QIMR he's holding in his hand.
Disability pensioner Paul Woodbridge, 61, was among those affected by the QIMR Berghofer data breach.(ABC News: Cameron Lang)
Help keep family & friends informed by sharing this article
Link copied
COPY LINK
SHARE
Australia's biggest skin cancer study has been hit by an unpublicised data breach, with the personal details of more than 1,000 people feared to have been accessed by hackers.
Key points:
QIMR Berghofer says names, addresses and Medicare numbers "may have been compromised"
The hacked data company says its servers held responses to personal medical survey questions
There is no legal requirement in Australia for companies to publicly disclose a data breach
The ABC can reveal cyber criminals last year broke into servers holding highly sensitive data collected by QIMR Berghofer, a medical research institute based in Brisbane.
The revelations come as QIMR Berghofer continues to recruit Australians for other scientific studies without publicly revealing it was the victim of a cyber attack, prompting calls for tighter public-disclosure laws.
The hacked servers were owned and operated by Datatime, a technology company hired by QIMR Berghofer to scan and process surveys for its QSKIN study, which has involved 50,000 Australians over more than a decade.
Datatime planned to permanently delete the sensitive material after 12 months, but was hit by the cyber attack before it could do so.
In November last year, hackers managed to briefly cripple Datatime by locking it out of its own systems and sending the company a sample of the stolen data.
Have you been affected by a data breach? Contact [email protected].
When approached by the ABC, QIMR Berghofer revealed 1,128 people were caught up in the data breach.
The medical research institute said information including a participant's "name, address and Medicare numbers may have been compromised as part of the breach".
"No other information, including genetic data or other, was involved or held by Datatime," it said in a statement.
"Once notified of the breach, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland."
Datatime, on the other hand, told the ABC that survey responses from participants were in fact on its server at the time of the hack.
QIMR Berghofer would not say whether it was the subject of any other unpublicised data breaches, and why it had not publicly disclosed this breach.
The QIMR Clive Bergofer building is large with glass windows.
QIMR Berghofer Medical Research Institute collected survey data for Australia's largest skin cancer study.(ABC News: Cameron Lang)
Paul Gallo, the chief executive of the PNORS Technology Group which owns Datatime, said the company's cyber experts "do not believe any further data was breached, which includes the QSKIN data survey".
"After a rigorous and extensive investigation by internal and external cyber security experts, it was determined that no private data was released into the public domain," Mr Gallo said.
"There has been no further contact with the cyber hackers and we have no reason to believe any private data has been, or will be, released."
But an email seen by the ABC and sent to survey respondents last November by David Whiteman, the study's principal investigator, reveals this was a genuine concern.
"While we cannot provide categorical confirmation, it is possible that your survey data have been compromised," Professor Whiteman said in the email.
"We do not know yet whether the cyber-criminals have accessed QSKIN's survey data, however we wanted to let you know in case it is possible that your name, contact details, and Medicare number, and potentially responses to your survey form were accessed."
Survey respondents feel 'ill', 'upset' after breach
The QSKIN study set out to investigate how skin cancers and melanomas developed.
Paul Woodbridge, a 61-year-old disability pensioner, was more than happy to be involved.
"I live in Queensland, Australia's sunburn capital of the world … I don't have melanoma or anything but I don't want to get it and I don't want more people to get sick," Mr Woodbridge said.
Paul looks at the camera with a concerned expression while sitting on a couch inside his home.
Disability pensioner Paul Woodbridge says "nobody seems to want to" help him.(ABC News: Cameron Lang)
Survey respondents were asked extensive questions about their medical history including sun exposure, feelings of anxiety and depression, whether they had been through a recent divorce, and whether female participants were still menstruating.
It also asked participants for access to their Medicare records and Pharmaceutical Benefits Scheme, which also provides access to a person's prescription medication history.
It assured those participating that their data would be "treated completely confidentially".
Mr Woodbridge said the data breach had left him sleepless.
"I just thought I'll participate in it for the public good, and it didn't work out for my good at all," he said.
Paul holds a small letter asking him if he'd like to participate in a study.
Paul Woodbridge was happy to take part in the survey, but is upset that his data was put at risk.(ABC News: Cameron Lang)
The Brisbane man said he had "been ill about it".
"It just makes you a little bit crazy because you can't see the end of it … I don't know what's out there and I don't know how it's going to end and nobody seems to want to help me."
Mr Woodbridge said the last time he heard from QIMR Berghofer was two weeks ago when the medical institute tried to recruit him into another study on Parkinson's disease.
"I felt outraged," he said.
"I'm probably not the only person like this, they probably sent emails to everybody else who participated in the QSKIN surveys and other surveys without telling them what's happening, and just say, 'Oh look trust us again with your data, she'll be right, she'll be right.'
"That doesn't make me feel good at all. They don't respond and then they invite me back again."
Helene Moorhouse, of Chermside in Brisbane's northern suburbs, was also contacted by QIMR Berghofer in November last year, advising her of a data breach.
Helen wearing a white blouse and black-rimmed glasses sits with her arms in front in her home.
Helene Moorhouse, 81, thinks QIMR Berghofer should have made a public announcement.(ABC News: Cameron Lang)
Ms Moorhouse, 81, has had a decades-long battle with skin cancer, involving surgeries and radiation. She too took part in the study in the hope of fighting the disease.
"I'm upset … I think if you take part in these studies, thinking that a very large organisation with hopefully all the resources they've got will keep the information that you provide to them safe," Ms Moorhouse said.
"This wasn't what I signed up for … they failed in their duty to me."
She wants QIMR Berghofer to make it clear that it was part of a data breach.
"Acknowledge what's happened and apologise to the people that were affected and say to the people coming into the study, 'We're doing our very best to ensure this doesn't happen,'" she said.
Organisations should announce breaches publicly, expert says
Data breach expert Jane Andrew from the University of Sydney says current data breach laws are not fit for purpose because there is no legal requirement to publicly disclose a hack.
"I think all organisations who are engaged in or have an event that is deemed to be harmful, potentially harmful or likely to cause harm, that they should make a public announcement," Professor Andrew said.
"I do think it means that if you then are about to make a decision as to whether you, in this case, engage with this research institute in the future, you actually understand the risks properly."
QIMR Berghofer said it was strengthening accreditation for its contractors.
By national technology reporter Danny Tran
Posted Sun 19 Mar 2023 at 6:40pmSunday 19 Mar 2023 at 6:40pm, updated Mon 20 Mar 2023 at 12:25amMonday 20 Mar 2023 at 12:25am
Paul Woodbridge looks unhappily at a letter from QIMR he's holding in his hand.
Disability pensioner Paul Woodbridge, 61, was among those affected by the QIMR Berghofer data breach.(ABC News: Cameron Lang)
Help keep family & friends informed by sharing this article
Link copied
COPY LINK
SHARE
Australia's biggest skin cancer study has been hit by an unpublicised data breach, with the personal details of more than 1,000 people feared to have been accessed by hackers.
Key points:
QIMR Berghofer says names, addresses and Medicare numbers "may have been compromised"
The hacked data company says its servers held responses to personal medical survey questions
There is no legal requirement in Australia for companies to publicly disclose a data breach
The ABC can reveal cyber criminals last year broke into servers holding highly sensitive data collected by QIMR Berghofer, a medical research institute based in Brisbane.
The revelations come as QIMR Berghofer continues to recruit Australians for other scientific studies without publicly revealing it was the victim of a cyber attack, prompting calls for tighter public-disclosure laws.
The hacked servers were owned and operated by Datatime, a technology company hired by QIMR Berghofer to scan and process surveys for its QSKIN study, which has involved 50,000 Australians over more than a decade.
Datatime planned to permanently delete the sensitive material after 12 months, but was hit by the cyber attack before it could do so.
In November last year, hackers managed to briefly cripple Datatime by locking it out of its own systems and sending the company a sample of the stolen data.
Have you been affected by a data breach? Contact [email protected].
When approached by the ABC, QIMR Berghofer revealed 1,128 people were caught up in the data breach.
The medical research institute said information including a participant's "name, address and Medicare numbers may have been compromised as part of the breach".
"No other information, including genetic data or other, was involved or held by Datatime," it said in a statement.
"Once notified of the breach, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland."
Datatime, on the other hand, told the ABC that survey responses from participants were in fact on its server at the time of the hack.
QIMR Berghofer would not say whether it was the subject of any other unpublicised data breaches, and why it had not publicly disclosed this breach.
The QIMR Clive Bergofer building is large with glass windows.
QIMR Berghofer Medical Research Institute collected survey data for Australia's largest skin cancer study.(ABC News: Cameron Lang)
Paul Gallo, the chief executive of the PNORS Technology Group which owns Datatime, said the company's cyber experts "do not believe any further data was breached, which includes the QSKIN data survey".
"After a rigorous and extensive investigation by internal and external cyber security experts, it was determined that no private data was released into the public domain," Mr Gallo said.
"There has been no further contact with the cyber hackers and we have no reason to believe any private data has been, or will be, released."
But an email seen by the ABC and sent to survey respondents last November by David Whiteman, the study's principal investigator, reveals this was a genuine concern.
"While we cannot provide categorical confirmation, it is possible that your survey data have been compromised," Professor Whiteman said in the email.
"We do not know yet whether the cyber-criminals have accessed QSKIN's survey data, however we wanted to let you know in case it is possible that your name, contact details, and Medicare number, and potentially responses to your survey form were accessed."
Survey respondents feel 'ill', 'upset' after breach
The QSKIN study set out to investigate how skin cancers and melanomas developed.
Paul Woodbridge, a 61-year-old disability pensioner, was more than happy to be involved.
"I live in Queensland, Australia's sunburn capital of the world … I don't have melanoma or anything but I don't want to get it and I don't want more people to get sick," Mr Woodbridge said.
Paul looks at the camera with a concerned expression while sitting on a couch inside his home.
Disability pensioner Paul Woodbridge says "nobody seems to want to" help him.(ABC News: Cameron Lang)
Survey respondents were asked extensive questions about their medical history including sun exposure, feelings of anxiety and depression, whether they had been through a recent divorce, and whether female participants were still menstruating.
It also asked participants for access to their Medicare records and Pharmaceutical Benefits Scheme, which also provides access to a person's prescription medication history.
It assured those participating that their data would be "treated completely confidentially".
Mr Woodbridge said the data breach had left him sleepless.
"I just thought I'll participate in it for the public good, and it didn't work out for my good at all," he said.
Paul holds a small letter asking him if he'd like to participate in a study.
Paul Woodbridge was happy to take part in the survey, but is upset that his data was put at risk.(ABC News: Cameron Lang)
The Brisbane man said he had "been ill about it".
"It just makes you a little bit crazy because you can't see the end of it … I don't know what's out there and I don't know how it's going to end and nobody seems to want to help me."
Mr Woodbridge said the last time he heard from QIMR Berghofer was two weeks ago when the medical institute tried to recruit him into another study on Parkinson's disease.
"I felt outraged," he said.
"I'm probably not the only person like this, they probably sent emails to everybody else who participated in the QSKIN surveys and other surveys without telling them what's happening, and just say, 'Oh look trust us again with your data, she'll be right, she'll be right.'
"That doesn't make me feel good at all. They don't respond and then they invite me back again."
Helene Moorhouse, of Chermside in Brisbane's northern suburbs, was also contacted by QIMR Berghofer in November last year, advising her of a data breach.
Helen wearing a white blouse and black-rimmed glasses sits with her arms in front in her home.
Helene Moorhouse, 81, thinks QIMR Berghofer should have made a public announcement.(ABC News: Cameron Lang)
Ms Moorhouse, 81, has had a decades-long battle with skin cancer, involving surgeries and radiation. She too took part in the study in the hope of fighting the disease.
"I'm upset … I think if you take part in these studies, thinking that a very large organisation with hopefully all the resources they've got will keep the information that you provide to them safe," Ms Moorhouse said.
"This wasn't what I signed up for … they failed in their duty to me."
She wants QIMR Berghofer to make it clear that it was part of a data breach.
"Acknowledge what's happened and apologise to the people that were affected and say to the people coming into the study, 'We're doing our very best to ensure this doesn't happen,'" she said.
Organisations should announce breaches publicly, expert says
Data breach expert Jane Andrew from the University of Sydney says current data breach laws are not fit for purpose because there is no legal requirement to publicly disclose a hack.
"I think all organisations who are engaged in or have an event that is deemed to be harmful, potentially harmful or likely to cause harm, that they should make a public announcement," Professor Andrew said.
"I do think it means that if you then are about to make a decision as to whether you, in this case, engage with this research institute in the future, you actually understand the risks properly."
QIMR Berghofer said it was strengthening accreditation for its contractors.