NSW Health has warned that “health-related personal information” and “identity information” is among the data accessed by attackers involved in the compromise of Accellion file transfer software.
The agency said in a statement late Friday that it had started “notifying people whose data may have been accessed in the global Accellion cyber attack.”
“Medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health,” NSW Health said.
“Different types of information, including identity information and in some cases, health-related personal information, were included in the attack.
“NSW Health has been working with NSW Police and Cyber Security NSW and to date, there is no evidence any of the information has been misused.”
“We are making impacted people aware of the attack so that they can take appropriate precautions and access our support services,” a NSW Health spokesperson added.
NSW Health said that only people it directly contacted may require assistance; “if you are not contacted by NSW Health, no action is required,” it said.
Strike Force Martine, set up by NSW Police and Cyber Security NSW, has been investigating the impact on NSW government agencies that were caught up in the Accellion breach.
Last week, a post-incident report commissioned by the Reserve Bank of New Zealand – another high-profile Accellion victim – found Accellion’s vulnerability notification system was malfunctioning at the time of the incident, leading to a delay in notifying customers of the incident.