Australian Clinical Labs said on Thursday its Medlab Pathology business suffered a data breach that affected health records and credit card information of about 223,000 patients and staff.

This is the latest in a series of hacks to rock corporate Australia, after the country’s biggest health insurer Medibank and No. 2 telco Optus were also hit by breaches that compromised the data of millions of customers

Read more at Yahoo! 

The claims by the corporation do not make a great deal of sense.

The Medlab Pathology breach was announced by Quantum Blog, who added the incident to their leak site with a data of June 14, 2022.  The threat actors wound up leaking 86 GB of data for anyone who wants to download it. Yet as recently as October 27 in a website notice, ACL claims:

To date, there is no evidence of misuse of any of the information or any demand made of Medlab or ACL.

No demand? The extortionists stole data and never made any extortion demand? Seriously?  Given  ACL’s repeated failures to detect the breach, can we have any confidence in their claim? Consider the timeline ACL provides in their statement:

Medlab became aware of an unauthorised third-party access to its IT system in February 2022. ACL immediately coordinated a forensic investigation led by independent external cyber experts into the Medlab incident. At the time, the external forensic specialists did not find any evidence that information had been compromised.

In March, the company was contacted by the ACSC outlining that it had received intelligence that Medlab may have been the victim of a ransomware incident. The company responded to the request for information and confirmed that to its knowledge the company did not believe that any data had been compromised.

In June, ACL was again approached by the ACSC, which informed ACL that it believed that Medlab information had been posted on the dark web. ACL took immediate steps to find and download this highly complex and unstructured data-set from the dark web and made efforts to permanently remove it.

They apparently were unable to get it removed, as the data are still available for download as of time of this publication. And yet they claim there was no ransom demand?

DataBreaches sent inquiries to both Medlab and Quantum, but has received no replies as yet.