The website that published sensitive messages sent between staff from the Western Australian Department of Health was run by a teenager, according to Premier Mark McGowan.
On Monday WA Health revealed it had been “alerted to a breach of confidential data associated with the use of a third-party pager service”.
McGowan on Tuesday said the police had intervened and shut down the website, and the person who allegedly hacked the site was a teenager.
“It was a person under the age of 16, who obviously spends a lot of their life online, and did this sort of thing as some young people do,” he said.
Paging networks cannot be encrypted because they send messages using legacy radio technology.
The premier said he “personally thought pagers went out in the 90s”, but WA Health had told him pagers had been used for at least 12 years because they were regarded as a more “certain way” to communicate than SMS.
“I had no idea that they were still being used anywhere, let alone within the Western Australian government, but that’s the arrangements put in place,” he said.
He noted authorities would undertake a forensic examination.
“The secure information that may have been transmitted, the people whose names might be there, there’s going to be a forensic examination to make sure those people are contacted and advised if any of their information was published inappropriately so that will go on,” he said.
“In terms of cyber security, the Office of Digital Government is now investigating as to what else can be done and where else this might be occurring across government, and whether or not any other secure information is being transmitted in this way.”
WA Police will work with the Office of Digital Government to further investigate the incident.
More than 400 webpages were published during the breach, according to 9News, but the health department’s acting director general Angela Kelly has said that hospital information was not compromised.
“In no way, shape, or form have our own systems been breached,” she told Radio 6PR.
“We utilise a third party provider that takes calls from the public, practitioners on a range of matters. What they will do is then forward that information up until yesterday by paging and SMS.”
The pager network was operated by telecommunications company Vodafone. The company had referred the breach to WA Police and the Australian Federal Police after it was detected.
“As soon as we became aware of a website illegally publishing paging messages, we took immediate action and had it shut down within hours,” it said.
The federal government’s Office of the Australian Information Commissioner has indicated that it’s making “urgent preliminary inquiries about the facts and circumstances” of the incident.
“The Federal Privacy Act covers private health providers, organisations with an annual turnover of more than $3 million and most Australian government agencies. It does not generally cover Western Australian state government departments,” it said in a statement.
“An entity regulated by the Privacy Act must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.”
It noted that in 2019, it made a submission to the WA government regarding privacy and responsible information sharing for the state public sector.