Dear Valued Customers of Armadale Pharmacy,
We are reaching out to inform you about a recent privacy breach involving the compromise of your personal information stored on our computer systems. This notification aims to provide you with an understanding of the incident, our response, and the implications for you as a customer.
On September 27th, our backup computer experienced a cyberattack. The perpetrator breached our internet security protocols, gaining unauthorized access. Subsequently, a ransomware attack occurred, encrypting all files, excluding those essential for the basic functioning of the operating system.
This attack extended to our primary dispense data storage, linked for daily backups. As a result, all dispensing data preceding the date of the incident was encrypted and rendered inaccessible. The unauthorized access to patient data is considered a privacy breach, prompting a comprehensive investigation.
To verify the integrity of the data and assess any potential copying or transfer, we engaged the services of our software vendor. According to their analysis, the size of the data is substantial, making internet-based data leakage impractical. Collaborating with our internet service provider, we compared upstream and downstream data usage for the month, identifying no significant spikes suggesting data leak via internet routes.
This incident has been reported to the Cybercrime Division of the Victorian Police, and the details retrieved from the affected computer have been forwarded to the Australian Federal Police for further investigation.
The attacker demanded payment in exchange for the decryption key and necessary software. Following advice from the Australian Cyber Security Centre, we chose not to comply with the ransom demand or engage with the threat actor in any manner.
As of now, we have not received any further threats or demands from the perpetrator.
To fortify our internet security, we consulted with an Internet Security Provider, implementing new security protocols and software to prevent future attacks and eliminate any residual vulnerabilities.
Within hours of the attack, we took immediate measures and conducted a series of investigations to confirm the impacted data. The following information relating to Prescription Dispensed has been affected:
First name and Surname
Date of birth
PBS safety net number issued
Individual Health Identifier Number (IHI)
Actions You Can Take Now:
To further safeguard your identity, we recommend the following steps:
Regularly update your passwords across all online services, avoiding password reuse, and enabling two-factor authentication where available.
Stay vigilant for phishing scams via phone, text, or email.
Verify the legitimacy of communications received.
Exercise caution when responding to texts and calls from unknown or suspicious numbers.
Monitor all accounts and devices for unusual activities, ensuring the latest security updates are applied.
If you are concerned about your exposed Medicare number, you can replace your Medicare card for free through the Medicare Services on the myGov App. For any unauthorized activity in your Medicare account, contact the Services Australia Scams and Identity Theft Help Desk to secure your compromised account.
If someone threatens to release your data unless payment is made, report it immediately to ReportCyber via their website. For reporting scams, use ScamWatch.
If you're feeling distressed or anxious, please reach out to us, or alternatively, contact your GP or the following support services:
Beyond Blue: 1300 224 636 / beyondblue.org.au
Lifeline: 13 11 14 / lifeline.org.au
In case of an imminent threat to your safety, call Triple Zero.
We sincerely apologize for the distress this incident may cause you. Your privacy and security are of utmost importance to us, and we are committed to taking every possible measure to prevent such incidents in the future. If you have any concerns or questions, please don’t hesitate to reach out to us.
Thank you for your understanding and continued trust in Armadale Pharmacy.
Armadale Pharmacy Management
This event has been assessed as an 'eligible data breach' under Part IIIC of the Privacy Act 1988 (Cth)(Privacy Act), and the Office of the Australian Information Commissioner has been notified of this event. This letter has been issued under section 26WL of the Privacy Act.