QIMR Berghofer Medical Research Institute is investigating a likely data breach through the third-party file-sharing system Accellion.
Early internal investigations indicate that about 4 per cent, or 620MB, of the QIMR Berghofer data in Accellion appears to have been accessed through the file-sharing system on 25 December 2020.
Nine QIMR Berghofer employees use the Accellion system.
The first notification QIMR Berghofer received from Accellion was on 4 January 2021, when the company advised the Institute to apply a security patch. The Institute immediately took the software offline and applied the patch.
Accellion notified QIMR Berghofer on Tuesday 2 February 2021 that it believed the Institute had been affected by the data breach, which has also affected a number of Accellion’s other Australian and international clients.
The likely data breach, by an unknown party, appears to have been caused by a vulnerability in Accellion’s system.
QIMR Berghofer immediately shut down the software and launched an internal investigation and forensic analysis. The Institute has sent a copy of its system to Accellion, which is conducting its own forensic analysis to confirm that a data breach has occurred, and, if so, which files were accessed.
The Institute’s preliminary investigations indicate that no personally identifying information belonging to members of the public was held in the Accellion system.
QIMR Berghofer uses the third-party file-sharing software to receive and share data from clinical trials of anti-malarial drugs. These clinical trials are conducted with healthy volunteers. No names, contact details or other personally identifiable details of study participants are in the files held in Accellion. Instead, codes are used to refer to study participants. Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some other documents include participants’ de-identified medical histories, along with their codes.
The CVs of about 30 current and former research staff were also in Accellion and could potentially have been accessed. The Institute is offering advice and assistance to those employees. QIMR Berghofer also uses the software to share some internal files, and to share documents with the Mosquito and Arbovirus Research Committee.
QIMR Berghofer’s Director and CEO, Professor Fabienne Mackay, has apologised for the suspected data breach.
“We are very concerned that some data appears to have been accessed and I want to say a sincere sorry to our stakeholders, particularly our clinical trial partners and members of the public who took part in our anti-malarial drug trials,” Professor Mackay said.
“These trial participants do a wonderful community service by helping to speed up the development of new drugs for a disease that kills about 400,000 people every year.
“We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed.
“Many of these files have to be kept for 15 years. However, they did not need to be stored in Accellion. We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location.
“We cannot contact these clinical trial participants because we don’t know who they are, and don’t have their names or contact details. However, if anyone has any concerns, or would like more information, they can contact us via the details below.
“We are contacting our clinical trial partners and other stakeholders to let them know what has happened and what we are doing to address this likely data breach.
“Some of the trial data in Accellion has already been published, and some will be published in the near future. In the spirit of open disclosure of clinical trial data, we endeavour to publish as much data as possible while preserving the confidentiality of trial volunteers.
“Data security is a top priority for QIMR Berghofer. We will keep working with Accellion to understand how this suspected breach occurred, which files were accessed, and why QIMR Berghofer was not notified sooner. In the meantime, we have decommissioned the Accellion system from use at QIMR Berghofer.”
There is no indication that QIMR Berghofer was directly targeted.
For security reasons, the Accellion system sits outside of the Institute’s core network. There is no indication the hackers gained access to QIMR Berghofer’s internal network, or any of its other servers.
The Institute had scheduled to decommission the software next month.
QIMR Berghofer has notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, which the Institute is a member of.