Qld research institute suffers data breach

A leading Queensland medical institute's data has been accessed by an unknown third party.
A leading Queensland medical institute's data has been accessed by an unknown third party.

Queensland's top medical research institute has apologised after patient data and potentially staff resumes were accessed by an unknown third party on Christmas Day.

The QIMR Berghofer Medical Research Institute was notified that its data stored on an external fire-sharing system hosted by Accellion was breached on by an unknown entity on February 2.

The institute says about 620MB of data - including clinical patients' information like their age, sex and ethnic group and potentially staff member CVs - were accessed on December 25.

"The likely data breach, by an unknown party, appears to have been caused by a vulnerability in Accellion's system," QIMR Berghofer said in a statement on Thursday.

The breach also affected some of Accellion's international clients and the institute shut down the software and launched an investigation.

QIMR Berghofer said the hacked data related to clinical trials of anti-malarial drugs but no personally identifying information, such as patients' names or contact details, was accessed.

The institute said CVs of 30 current and former staff may have also been accessed.

QIMR director and chief executive Fabienne Mackay apologised for the breach and says the Accellion system has been decommissioned.

"We are very concerned that some data appears to have been accessed and I want to say a sincere sorry to our stakeholders, particularly our clinical trial partners and members of the public who took part in our anti-malarial drug trials," Professor Mackay said in a statement.

"These trial participants do a wonderful community service by helping to speed up the development of new drugs for a disease that kills about 400,000 people every year.

"We don't believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed."

She said many of the files had to be kept for 15 years but they did not need to be stored externally.

Prof Mackay said the institute was reviewing whether third-party systems should be used or more secure locations were available.

She stressed there was no indication QIMR Berghofer had been directly targetted and it was more likely caught up in a breach aimed at Accellion.

The institute has reported the breach to the Australian Information Commissioner and the Australian Cyber Security Centre.

Australian Associated Press