Full Report
The records of every Tasmanian that has requested an ambulance since November 2020 has been published online.
Analysis Summary
# Incident Report: Tasmanian Ambulance Paging System Data Exposure
## Executive Summary
The archaic radio data system used by Tasmanian Ambulance Services was compromised, resulting in the exposure of patient records dating back to November 2020. The breached data, which included sensitive information like HIV status, age, gender, and incident addresses, was intercepted, converted to text, and published online to an undisclosed website. Ambulance Tasmania took steps to limit further transmission via the paging system following the incident.
## Incident Details
- Discovery Date: January 9, 2021 (Date of reporting)
- Incident Date: Ongoing compromise affecting data since November 2020
- Affected Organization: Ambulance Tasmania / Tasmanian Government Department of Health
- Sector: Government / Emergency Services (Ambulance)
- Geography: Tasmania, Australia
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but compromise impacted reports since November 2020.
- Vector: Interception of radio data from the Tasmanian Ambulance pager network due to an antiquated communication system.
- Details: Attackers were intercepting and converting raw radio data to text for publication.
### Lateral Movement
- Not explicitly detailed. The attack focused on eavesdropping and broadcasting compromised data rather than deep network infiltration.
### Data Exfiltration/Impact
- Sensitive patient data, including HIV status, gender, age, and incident addresses for every Tasmanian who requested an ambulance since November 2020, was published online.
### Detection & Response
- **Detection:** The breach became public knowledge, leading to statements from Health Minister Sarah Courtney on January 9, 2021.
- **Response Actions:** Appropriate steps were taken by Ambulance Tasmania to limit the transmission of personal information via the paging system, balanced against operational safety needs. The website hosting the published data was blocked.
## Attack Methodology
- **Initial Access:** Eavesdropping/Interception of unencrypted or easily crackable radio transmissions (Pager network).
- **Persistence:** Not applicable in the traditional sense, as the attack exploited a fundamental design flaw in the communication infrastructure.
- **Privilege Escalation:** N/A
- **Defense Evasion:** The underlying archaic technology inherently lacked modern security controls, facilitating passive interception.
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** Intercepting and decoding radio transmissions from the ambulance pager network.
- **Exfiltration:** Publishing the converted text data to an undisclosed website.
- **Impact:** Public disclosure of highly sensitive patient protected health information (PHI).
## Impact Assessment
- **Financial:** Not specified in the article.
- **Data Breach:** Patient records (since November 2020) including HIV status, age, gender, and incident addresses.
- **Operational:** Response capacity needed to be managed while limiting the transmission of sensitive information over the pager system.
- **Reputational:** Significant concern expressed by the Health Minister regarding the exposure of sensitive Tasmanian information.
## Indicators of Compromise
- **Network indicators:** Radio frequencies and protocols used by the Tasmanian Ambulance pager network (Specific technical indicators not provided).
- **File indicators:** Text files containing patient data published online (The publication site was reportedly blocked).
- **Behavioral indicators:** Unauthorized interception and decoding of internal emergency service radio communications.
## Response Actions
- **Containment:** Steps were taken by Ambulance Tasmania to limit the transmission of personal information over the compromised paging system.
- **Eradication:** The website hosting the published sensitive data was blocked.
- **Recovery:** Not explicitly detailed, but the response implies ongoing mitigation to secure communication channels.
## Lessons Learned
- Relying on antiquated, familiar technology (archaic ambulance communication networks) for emergency services places the organization at a heightened risk of cyberattacks and data exposure in the modern digital landscape.
- Inadequate security controls in critical infrastructure can lead directly to the exposure of highly sensitive personal and health information.
## Recommendations
- Immediately migrate away from archaic communication systems (like the old pager network) to modern, encrypted, and secure communication infrastructures.
- Conduct comprehensive reviews of all mission-critical, legacy systems that handle sensitive patient data to assess and remediate cybersecurity risks transparently.