Posted 8 August 2019
Data on close to 40,000 Australians who have expressed interest in paticipating in clinical trials has been exposed in a massive cyber security breach.
Sydney-based trial recruiting service Neoclinical was subject to the breach which resulted from action by US-based cyber security business UpGuard.
UpGuard says that on 1 July, it discovered an unsecured Neoclinical database containing approximately 37,000 records in which patients answered medical history questions designed to assess whether they qualified for trials.
"In reviewing the data set, the vast majority of individuals affected were in Australia and New Zealand, where Neoclinical operates clinical sites. In addition to contact information, the database included users' responses to questions qualifying them for clinical trials, which included questions about medical diagnoses, illicit drug use and treatments," UpGuard said.
The Sydney Morning Herald and The Age reported late yesterday that Neoclinical had admitted the breach but had described it as "an exercise by a cyber security company demonstrating their expertise for marketing purposes".
A Neoclinical spokesperson was quoted as saying: "A US cyber security company which trawls the internet looking for data access found a way to get around the password protection and access our server. The cyber security company advised Amazon Web Services, who are our hosting provider, who in turn advised us.
"On receiving this advice we immediately shut down all access to the server. Once the breach from the cyber security company was confirmed, we immediately contacted the Privacy Commissioner's office about the event and we are informing everyone whose details may have been affected."
The SMH said this Privacy Commission was told only yesterday "after the Herald and The Age contacted Neoclinical".
According to UpGuard, on July 1 it "sent an email notification to Neoclinical. The researcher called both phone numbers on Neoclinical's website, one of which was disconnected and the other was configured to record a ten second message to be transcribed and sent as text. On July 25 the researcher escalated notification to AWS [Amazon Web Services] Security, which followed their standard procedure of responding that they would notify the owner of the database. On July 26, public access to the database was removed."