On 13 September 2024, we discovered that Bellarine Medical Group had been the victim of an email security incident involving unauthorised access to one of our employee mailboxes, which was used to send spam emails to addresses contained in that account’s auto-saved email cache.

Following discovery of unauthorised activity, we immediately engaged our IT service provider to remove the unauthorised access to the email account and investigate the scope of the incident. All email accounts were immediately secured by forcibly logging out remote users and deploying a forced multifactor authentication and password change. Bellarine Medical Group’s systems were secured within 30 minutes of being accessed by the unauthorised user.

We would like to reassure all patients that Bellarine Medical Group does not transfer medical records via email and all patient records are secured within an isolated patient management system. Access to this patient management system is separate to the email accounts and there was no unauthorised access to the patient management system.

There is no indication that any information was accessed during this attack other than email addresses stored in the account’s auto-saved email cache. Emails are cleared from this mailbox regularly throughout the day and there is no evidence that any health or personal private information was accessible during the brief window of unauthorised access.

Bellarine Medical Group takes cyber security and privacy of personal information seriously, and we remain highly alert and continue to monitor our systems for signs of any suspicious activity.

Although there is no evidence that any personal data has been accessed apart from the email addresses used in the spam attack, we have outlined some simple steps below that you can take if you have any concerns:

1. Check your bank account statements for suspicious activity and contact your bank if you see any unusual activity. If necessary, discuss options with your bank regarding replacement cards as required.
2. Contact IDCARE – Australia’s national identity and cyber support community service. They have expert Case Managers who can work with you in addressing concerns in relation to personal information risks and any instances where you think your information may have been misused. IDCARE’s services are at no cost to you. If you wish to speak with one of their expert Case Managers, please complete an online ‘Get Help’ form at https://www.idcare.org/contact/get-help, or call 1800 595 160 (Monday to Friday 8am – 5pm AEST excluding public holidays).
3. Obtain a free credit report to identify whether there is any suspicious activity on your bank accounts (for example, Equifax credit reports are available at https://www.equifax.com.au/personal/products/credit-and-identity-products).
4. Ensure that you have sufficiently complex passwords on your computer systems, your email and your social media accounts.
5. Ensure that you have up-to-date anti-virus software and any recommended software patches installed on your computer systems.
6. Visit Scamwatch (at https://www.scamwatch.gov.au/) to keep up with current scam trends.

If you have any queries, please contact us at [email protected]. To anyone that has contacted us to raise concerns and request information regarding the attack, thank you for your patience while we have finalised our investigation into the incident and confirmed that the risk of unauthorised access has been resolved.

We sincerely apologise for any inconvenience caused as a result of this incident.