Cyber Security Incident

On 12 December 2023, Crace Medical Centre was alerted to activity on our systems which indicated a potential cyber incident had occurred. We quickly commenced an investigation into that activity, and we took immediate action to ensure the ongoing security of our systems.

Unfortunately, our investigations have identified that patient data was accessed and taken from our systems by an unauthorised third party. We are not aware of any impacted personal data relating to our patients that has been published online.

We take the privacy of our patients incredibly seriously and are informing them of this development as well as of protective measures they can take to safeguard their information.

What information has been impacted?

Health Information

Health information impacted by the incident could include details of the diagnoses, treatment, or recovery of a medical condition or disability, as well as other health information contained within your medical record.

Health and other sensitive personal information by itself is generally not useful to a cyber-criminal.

However, we acknowledge and understand that it may be upsetting to have your health information accessed. We regret that this incident has taken place and sincerely apologise for any unease this may cause you.

If you are experiencing any distress, we recommend that you seek health advice from a registered health professional you know and trust.

Medicare or Pensioner Cards

Medicare card or Pensioner card details have also been impacted by the incident.

We have provided information to Services Australia regarding impacted Medicare card details. This is so Services Australia can apply increased security measures. Please visit the Services Australia website for more information on how you can protect your personal information after a cyber security incident.

If you choose, you can contact Medicare to obtain a replacement card free of charge. You can do this by:

• using your Medicare online account through myGov
• the Express Plus Medicare mobile app
• calling the Medicare program.

If your pensioner concession card has been impacted, you can replace it by:

• requesting a new card via your myGov account linked to Centrelink
• calling Centrelink on 132 300 or your regular payment line
• visiting a Centrelink Service Centre.

If you are concerned about other Services Australia record(s), you can contact the Scams and Identity Theft Helpdesk by calling 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

Other Information

Where other information, such as identity documents (e.g., driver licences or passports), have been impacted by the incident, we are contacting those patients directly to inform them of this.

If you need more details about the information we hold about you please contact cyber@cracemc.com.au.

Preventative Measures

In addition to the above, we encourage our patients to take the following simple preventative steps to protect their information and avoid any potential scams:

• Look out for scammers – including suspicious emails, texts, phone calls or messages on social media. Never click on any links that look suspicious, never provide your passwords, or any personal information.
• Consider changing your online passwords. Use strong passwords and enable multi-factor authentication for your online accounts where possible.

You can also find further information about online safety, cyber security and helpful tips to protect yourself at the following websites:

• Ways to protect your privacy | OAIC
• ACCC’s Scam watch website
• Protect yourself | Cyber.gov.au

Conclusion

We are committed to protecting the information of all our patients and we are confident that all appropriate steps have been taken to remediate the incident and further enhance the security of our systems moving forward.

We have also reported the incident to and continue to engage with the relevant Australian agencies and authorities including the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC), the Australian Digital Health Agency (ADHA) and Services Australia.

Once again, we regret that this incident has occurred and affected our patients. If you have any questions about the incident itself, or the information we hold about you, please contact us at cyber@cracemc.com.au.

 

Frequently Asked Questions

What has occurred?

On 12 December 2023, Crace Medical Centre was alerted to activity on our systems which indicated a potential cyber incident had occurred. Once aware of the incident, we quickly commenced an investigation into the activity, and took immediate action to ensure the ongoing security of our systems.

This investigation is now complete.

Who has been impacted?

Unfortunately, our investigations have identified that patient data of Crace Medical Centre was accessed and taken from our systems by an unauthorised third party.

We take the privacy of our patients incredibly seriously and are informing them of this development as well as of protective measures they can take to safeguard their information.

What information has been impacted?

The patient data which was accessed is relevant to health information and the Medicare or Pensioner Card details of some of our patients. For a small number of our patients, some identity documents such as their driver’s licence number has also been impacted.

The health information impacted by this incident could include details of a diagnoses, treatment, or recovery of a medical condition or disability, as well as other health information contained within a patient’s medical record.

If you have not received a communication confirming that your identity documents have been impacted, then we have not identified this information as having been accessed during the incident.

Has the incident been resolved, and access stopped?

Yes, we are confident that all appropriate steps have been taken to remediate the incident and further enhance the security of our systems moving forward.

What actions have been taken since the incident occurred?

Once aware of the incident, we worked urgently to contain the threat and investigate what occurred. We are confident that all appropriate steps have been taken to remediate the incident and further enhance the security of our systems moving forward.

We have notified the relevant Australian regulatory bodies including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) and are following their guidelines.

We are also engaging with Services Australia regarding impacted customer credentials to ensure Services Australia can apply increased security measures. If you are concerned about the security of your Medicare, Centrelink and myGov accounts, please visit the Services Australia website for more information on how you can protect your personal information after a cyber security incident.

Has any personal data been published externally?

No. As of 07/03/2024, we are not aware of any impacted personal data relating to our patients that has been published online.

We will ensure all impacted individuals are kept updated and informed if this changes.

 Is Crace Medical Centre still open? 

Our medical centre remains open to all patients. We are confident that all appropriate steps have been taken to further enhance the security of our systems, so that we can continue to provide the highest quality care.