Australia’s largest skin cancer study, run by Brisbane based research institute QIMR Berghofer, has become the latest victim of hackers.
More than 1,000 participants in an online survey have been caught up in the third-party data breach, which QIMR Berghofer said could have included people’s names, addresses and Medicare numbers.
There is still almost no information available on the hackers, including who is responsible or where the data is being held, though it is believed that the group will not release the stolen data out into the public sphere.
The survey was sent out to 9,749 people back in November 2021 and included sensitive questions that touched on personal details, such as marriage status and current menstruation, with the 1,128 responses stored on servers provided by Datatime, a tech company hired by QIMR to help process the results.
Datatime, which is widely used by government, universities, and businesses, notified QIMR Berghofer about the security breach, which occurred on 3 November 2022, and although QMIR sent out an alert to around 30,000 people who could have been potentially affected, questions have been posed by media commentators as to why the public was not also informed at the time.
There is also concern that the lack of wider public knowledge could impact Australian’s trust and willingness to participate in medical research.
“We are extremely sorry that participants of this study have been impacted by the third-party data breach. QIMR Berghofer takes these matters very seriously, which is why we only engage highly credentialed data processing entities such as Datatime,” a spokesperson for QIMR Berghofer said in a statement issued 20 March 2023.
“Once notified of the breach, QIMR Berghofer identified affected participants and contacted them directly by email in accordance with the recommendation of the Office of the Information Commissioner Queensland.”
The participant notification included all information that was known and provided by Datatime including a description of the data breach, the kinds of information that may have been compromised, and the steps people could take to protect themselves.
QSKIN research principal investigator Dr David Whiteman told ABC Radio Brisbane on 21 March 2023, that Datatime had given strong assurances that none of the stolen data had appeared anywhere in public on the Web – ‘and they don’t believe it will.’
“We take this extremely seriously and it is obviously very concerning to people in our study, and to us as medical researchers who are only trying to do the right thing. And we take every step that we can to ensure the confidentiality and integrity of the data,” Dr Whiteman said.
“We use those data processes, third party contractors, because of their expertise in this area. They are the experts, and they have the accreditation and the security platforms for processing these large data sets.”
Datatime followed strict privacy protocols and notified the Office of Australian Information Commissioner to disclose the data breach, and all relevant state and federal authorities, including the Australian Cyber Security Centre, Federal Police and Federal Government’s cyber experts were also advised.
“But again, we did not wish to cause undue concern amongst those who were not affected,” Dr Whiteman said.
“And so that is why we told the people in our study – that was our absolute priority… People of course phoned us, and emailed us, and sought more information, and we responded to all those concerns that people had, and we continue to do so.”
However, Dr Whiteman also highlighted that even though the data breach occurred early in November 2022, the fact that it had only just become a news story was also likely to affect public confidence in medical research.
“I am not exactly sure why this story has become an issue as of today. This has been managed for the past couple of months and all our participants have been made aware of it – it was not kept a secret in any way,” Dr Whiteman said.
“I think the larger issue is that if these cyber criminals are now attacking institutions that are trying to do public good research, we have reached a sorry state. It is just really sad for research and medical research in this country that cyber criminals are jeopardising the future health of Australians.
“It is just a very black day in that respect, and I am deeply sorry about it. We really hope that these criminals are brought to justice.”
He noted that a small number of people had already contacted QSKIN and asked to have their data removed but asked for patience from the rest of the study’s participants as the investigation continues.
“We perfectly understand if people wish to withdraw from the study and it’s been made clear that people have that opportunity – but we would hope that they would hold in for the long haul,” Dr Whiteman said.
“Melanoma and skin cancer remain terrible problems in Australia. They are preventable diseases, and we lose too many Australians each year to these dreadful conditions.
“I would hope that we can rise above these cyber criminals and not have to change what we do, in adverse ways that prevent us finding out how to save people’s lives from these diseases.”