Full Report
The records of every Tasmanian that has requested an ambulance since November 2020 has been published online.
Analysis Summary
# Incident Report: Tasmanian Ambulance Paging System Data Exposure
## Executive Summary
The antiquated ambulance paging system used by Tasmania was breached, resulting in the online publication of patient records for every individual who requested an ambulance since November 2020. The incident involved the interception and decryption of radio transmissions, leading to the exposure of highly sensitive health and location information. Response efforts focused on limiting further transmission through the vulnerable system.
## Incident Details
- Discovery Date: January 9, 2021 (Date of reporting)
- Incident Date: Ongoing, starting November 2020
- Affected Organization: Ambulance Tasmania / Tasmanian Government Department of Health
- Sector: Healthcare/Emergency Services
- Geography: Tasmania, Australia
## Timeline of Events
### Initial Access
- Date/Time: Commenced November 2020 or soon after.
- Vector: Interception of unencrypted radio data from the ambulance pager network.
- Details: Attackers were able to intercept radio transmissions from the pager network, convert them into readable text, and subsequently publish the content online.
### Lateral Movement
- Not explicitly detailed. The attack appears focused on eavesdropping and data collection from a single, vulnerable communication stream rather than traditional internal network movement.
### Data Exfiltration/Impact
- Sensitive patient data was published online to an undisclosed website. Data included patient HIV status, gender, age, and the exact address of the emergency incident.
### Detection & Response
- Detection: Reportedly discovered when published data was noted (date of reporting is January 9, 2021).
- Response actions taken: Appropriate steps were taken by Ambulance Tasmania to limit the transmission of personal information via the paging system, balanced against operational safety needs. The website hosting the data was reportedly blocked.
## Attack Methodology
- **Initial Access:** Interception/Eavesdropping of unencrypted, public-broadcast radio frequency communications (Pager network).
- **Persistence:** N/A (Likely continuous interception while the system remained in use).
- **Privilege Escalation:** N/A
- **Defense Evasion:** The reliance on "classical technology" (antiquated paging system) inherently provided insufficient security controls, allowing easy interception without traditional evasion techniques.
- **Credential Access:** N/A
- **Discovery:** Listening/Monitoring the radio frequency spectrum used by the pagers.
- **Lateral Movement:** N/A
- **Collection:** Interception and conversion of radio data signals into text records.
- **Exfiltration:** Publication on an undisclosed website.
- **Impact:** Exposure of highly sensitive patient health information (PHI).
## Impact Assessment
- **Financial:** Not disclosed in the provided text.
- **Data Breach:** Records of every Tasmanian who requested an ambulance since November 2020. Data included highly sensitive Protected Health Information (PHI) such as HIV status, age, gender, and precise incident addresses.
- **Operational:** Potential constraint on incident response communication if changes were made to the paging system necessary to mitigate leakage, creating a balance between security and patient/staff safety.
- **Reputational:** Significant reputational damage to Ambulance Tasmania and the Tasmanian Department of Health due to the exposure of extremely private medical data.
## Indicators of Compromise
- **Network indicators (defanged):** N/A (Specific C2 or external IPs not listed).
- **File indicators:** N/A (Specific exposed file formats or hashes not listed).
- **Behavioral indicators:** Persistent monitoring and decryption of unencrypted radio traffic associated with the ambulance paging system frequency.
## Response Actions
- **Containment measures:** Appropriate steps were taken by Ambulance Tasmania to limit the transmission of personal information via the paging system.
- **Eradication steps:** The external website hosting the published data was reportedly blocked.
- **Recovery actions:** Transitioning away from the antiquated system appears to be a necessary long-term recovery/mitigation step, as the current system was identified as placing services at "heightened risk of further cyberattacks."
## Lessons Learned
- Over-reliance on familiar, antiquated communication technology (analog radio paging) introduces significant, easily exploitable security vulnerabilities.
- Communication systems handling sensitive patient data must use encryption or modern secure protocols, even if they provide the familiarity of older systems.
- The safety requirement of emergency services must be balanced proactively with digital security requirements; aging systems put both at risk.
## Recommendations
- Immediately decommission the vulnerable ambulance paging radio system or implement mandatory, end-to-end encryption on all transmissions if the system must remain operational in the short term.
- Conduct a comprehensive audit of all legacy communication and IT infrastructure within the Tasmanian Department of Health/Emergency Services to identify other antiquated systems susceptible to passive interception.
- Prioritize investment in modern, secure digital communication platforms suitable for handling Protected Health Information (PHI).