Cyber Incident
Glebe Hill Family Practice cyber incident
Earlier this year, Glebe Hill Family Practice (GHFP) became aware that it had experienced a cyber security incident involving one of its email accounts, through which an unidentified third party sent unauthorised phishing emails.
The account involved is an administrative mailbox used to deal with website enquiries and patient requests for certain documents and information.
In response to the incident, GHFP undertook the following steps:
- advised recipients of the phishing emails that the email was spam and to not follow any links (and if any links had been clicked, provided guidance to change their login details);
- engaged leading cyber security advisors to conduct a detailed forensic investigation to confirm exactly what happened;
- reset all email account passwords and ensured that the incident was contained; and
- implemented ongoing training for our staff around cyber vigilance and general online safety.
We have no evidence that any data in the mailbox involved was accessed by the unidentified third party. We also confirm that the security of GHFP’s database containing patient data has not been breached. Based on its investigation, GHFP understands that the primary motivation of the unauthorised third party was further spreading its phishing campaign, rather than accessing or misusing any data. However, out of an abundance of caution we are reviewing the contents of the mailbox to identify any individuals whose information may have been accessed.
Based on our review, we understand that a combination of contact information, health information and Medicare information was contained in the mailbox. We also identified some identification information for a limited number of individuals. We have no evidence to suggest that any personal information has been misused as a result of the incident.
Should our ongoing investigation identify that the incident involves you or your personal information, we will contact you directly to advise you as soon as we can.
GHFP takes the protection of data relating to its patients and staff very seriously. While there is no evidence that the third party accessed information in the mailbox involved, we understand that our patients may be concerned about any potential unauthorised access to their health information. GHFP is committed to providing you with the information and support that you need. We encourage you to reach out to us if you have any questions.
If you do have concerns about the incident, there are steps that you can take to protect yourself and your information, including:
- remain alert for any phishing scams that may come to you by phone, post or email;
- ensure you verify any communications you receive to ensure they are legitimate; and
- be careful when opening or responding to texts or emails from unknown or suspicious sources and confirm their legitimacy.
If at any point you have concerns about identity theft (not just in relation to this incident), you can apply for an annual free credit report via Equifax, Illion or Experian:
Name | Website |
Equifax | https://www.equifax.com.au/personal/products/credit-and-identity-products |
Illion | https://www.creditcheck.illion.com.au/ |
Experian | http://www.experian.com.au/consumer-reports |
If you have any questions after reviewing this statement, please do not hesitate to contact us at [email protected]. Alternatively, you can contact us on 03 6169 0000.
The Office of the Australian Information Commissioner (OAIC) has also been notified about this incident.
We sincerely apologise that this incident has occurred and thank you for your patience and support during this time.