In 2020, a 15-year-old autistic individual, Joshua, intercepted and decoded unencrypted radio frequencies used by Western Australia’s public health system during the COVID-19 pandemic. He uploaded the exposed data including patient and staff names, contact details, and hospital communications to a self-built 400-page website, making it publicly accessible. The breach was discovered after Nine News reported on it, broadcasting some of the leaked content before the site was taken down. While Joshua claimed no malicious intent and cooperated with authorities (who ultimately took no legal action), the incident compromised sensitive personal and operational data of patients and healthcare workers. The breach occurred at a critical time, heightening risks of identity exposure, reputational damage to the health system, and potential misuse of contact details. Police executed a search warrant at Joshua’s home, but no charges were filed. The case highlighted vulnerabilities in unencrypted communications and the unintended consequences of neurodivergent individuals engaging with sensitive systems.
TPRM report: https://www.rankiteo.com/company/healthsupportservices
"id": "hea3002130101725",
"linkid": "healthsupportservices",
"type": "Breach",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients and staff (exact '
'number undisclosed)',
'industry': 'Healthcare',
'location': 'Western Australia, Australia',
'name': 'Western Australia Public Health System',
'type': 'Government Health Agency'}],
'attack_vector': 'Interception of unencrypted radio frequencies',
'data_breach': {'data_encryption': 'No (unencrypted radio frequencies)',
'data_exfiltration': 'Yes (uploaded to public website)',
'file_types_exposed': ['Text (decoded radio transmissions)'],
'personally_identifiable_information': ['Names',
'Contact details'],
'sensitivity_of_data': 'High (patient/staff PII, hospital '
'communications during pandemic)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Healthcare communications']},
'date_detected': '2020',
'date_publicly_disclosed': '2020',
'description': 'A 15-year-old autistic individual, Joshua, intercepted and '
'decoded unencrypted radio frequencies used by Western '
"Australia's public health system during the COVID-19 "
'pandemic. He uploaded the decoded data including patient and '
'staff names, contact details, and hospital communications to '
'a self-built 400-page website, exposing sensitive '
'information. The breach was discovered after media reports '
'(Nine News) broadcast parts of the leaked content. '
'Authorities raided Joshua’s home, but no charges were filed '
'due to his age, neurodivergence, and lack of malicious '
'intent. The incident highlighted vulnerabilities in '
'unencrypted communications and the legal challenges faced by '
'neurodiverse individuals in the justice system.',
'impact': {'brand_reputation_impact': "Significant; described as 'very "
"disappointing and disturbing' by "
'then-premier Mark McGowan',
'data_compromised': ['Patient names',
'Staff names',
'Contact details',
'Hospital communications'],
'identity_theft_risk': 'High (exposed PII)',
'legal_liabilities': 'None (no charges filed)',
'operational_impact': 'Potential disruption to hospital '
'communications during COVID-19 pandemic',
'systems_affected': ['Radio communication systems of Western '
'Australia public health']},
'initial_access_broker': {'backdoors_established': 'No',
'data_sold_on_dark_web': 'No',
'entry_point': 'Unencrypted radio frequencies',
'high_value_targets': ['Patient data',
'Staff data',
'Hospital communications']},
'investigation_status': 'Closed (no charges filed)',
'lessons_learned': ['Neurodiverse individuals may lack awareness of '
'legal/consequential risks in technical explorations.',
'Unencrypted radio frequencies in critical infrastructure '
'(e.g., healthcare) pose significant privacy risks.',
'Legal systems require specialized programs (e.g., WA’s '
'Intellectual Disability Diversion Program) to address '
'neurodiverse offenders fairly.',
'Proactive communication with authorities could mitigate '
'unintended consequences.'],
'motivation': 'Non-malicious; curiosity and passion for technology (lack of '
'awareness of consequences)',
'post_incident_analysis': {'corrective_actions': ['Joshua later pursued a '
'career in cybersecurity '
'(redemption path).',
'Media coverage raised '
'awareness of '
'neurodiversity in legal '
'contexts.',
'Highlighted need for '
'better security in '
'healthcare '
'communications.'],
'root_causes': ['Lack of encryption in critical '
'communication channels.',
'Lack of awareness/education on '
'legal consequences for '
'neurodiverse individuals.',
'Delayed detection (breach '
'discovered via media reports).']},
'recommendations': ['Encrypt all sensitive communications, including radio '
'frequencies used in healthcare.',
'Implement real-time monitoring for unauthorized data '
'exposures (e.g., public websites).',
'Expand neurodiversity training for law enforcement and '
'legal professionals to avoid misinterpretations of '
'behavior.',
'Promote ethical hacking/bug bounty programs to channel '
'technical skills positively.'],
'references': [{'source': 'ABC News',
'url': 'https://www.abc.net.au/news/2023-11-15/autistic-teen-hacked-wa-health-data-no-charges/103100000'},
{'source': 'Nine News'}],
'regulatory_compliance': {'fines_imposed': 'None',
'legal_actions': 'None (no charges filed)',
'regulations_violated': ['Australian Privacy '
'Principles (APP)',
'Health Records and '
'Information Privacy Act '
'2002 (WA)']},
'response': {'communication_strategy': ['Media statements by then-premier '
'Mark McGowan',
'No public advisory to affected '
'individuals mentioned'],
'containment_measures': ['Website takedown (after media '
'exposure)'],
'incident_response_plan_activated': 'Yes (police raid, evidence '
'collection)',
'law_enforcement_notified': 'Yes (Western Australia Police '
'executed search warrant)'},
'threat_actor': {'age_at_incident': 15,
'background': 'Autistic individual with no prior criminal '
'intent; later worked in cybersecurity',
'motivation': 'Non-malicious; obsessive interest in '
'radio/technology (autistic fixation)',
'name': 'Joshua (pseudonym)',
'skills': ['Radio frequency decoding', 'Web development']},
'title': 'Western Australia Public Health Data Breach via Unencrypted Radio '
'Frequencies',
'type': ['Data Breach', 'Unauthorized Access', 'Privacy Violation'],
'vulnerability_exploited': 'Lack of encryption in radio communications used '
'by public health systems'}