- Thousands of ambulance calls in Tasmania were accessible online due to a system misconfiguration.
- The information in the live-updated list included patient names, addresses, HIV status, and incident details.
- The website has been taken offline now, but it was up and accessible for over two months already.
All the people in Tasmania who called an ambulance since November 2020 have had their private data published online in a cleartext list. In fact, the list is linked to ‘Ambulance Tasmania’ live paging system, so it was still getting updated each time the paramedics were called to an emergency.
In total, the data leak involves 26,000 items with details about the call-outs. The website has now been taken offline, and the Australian Cyber Security Center is working to ensure that this won’t happen again, but the damage has been done.
The details that were exposed include the address of the incident, the patients’ names, their HIV status, gender, age, and any other incident-specific details. These are obviously privacy-breaching, and in the case of the HIV status, its exposure could lead to stigmatization and discrimination against the person.
‘Ambulance Tasmania’ used the particular system as a communication channel between the paramedics and the call center agents only to ensure that their response to incidents would be targeted and effective. Unfortunately, though, they have failed to protect the sensitive data they collected for this purpose.
The agency assures the public that they have taken the appropriate protection steps now to secure the paging system, blocked access to the leaking site, and discussed the matter with the Department of Health secretary to determine the next steps. Moreover, a spokesperson added that the investigation would be continued, but the community shouldn’t fear calling “000” if they’re dealing with an emergency. Their data is now safe from unauthorized access.
The paging system was going through a changeover recently, as a half-a-billion dollar investment from the Tasmanian Government included its modernization via a special project assigned to a new entity. However, it has not been clarified if the data leak resulted from a misconfiguration that relates to the changeover process. Previous evaluations of the system revealed numerous security risks, so it was due for an upgrade.
Finally, the Tasmanian Government may have to give detailed explanations in court, as the incident opens the way to legal proceedings from the exposed patients. Certainly, after such a lengthy exposure spanning between last November and yesterday, nobody can pretend that no one has accessed the data.