Reporting in March 2025 exposed that Ambulance Victoria had suffered an insider threat event. Media reported that Ambulance Victoria suspected that a “rogue member of staff” had stolen personal and financial data of up to 3,000 Ambulance Victoria members.
Reportedly, this ‘rogue member’ had recently ended their employment with Ambulance Victoria, but before they left, on their final day, whilst they still had access to Ambulance Victoria systems, the member downloaded and stole employee personal data. The types of data stolen included staff names, home addresses, telephone numbers, email account details, bank account details, tax file numbers, superannuation account details, gender, birth date, nationality, residency status, and emergency contact details.
Ambulance Victoria’s Chief Executive Andrew Crisp said that staff had been alerted to the breach and that police had been informed, with investigations expected. The data theft, characterised as an ‘unauthorised transfer of data’, was identified by Ambulance Victoria’s data security systems when the ‘rogue member’ made the unauthorised data transfer on the last day of their employment with Ambulance Victoria.
Later in this article, Pentagram will analyse this insider threat event further, but first we want to define what an insider threat is and to explore the issue of ‘harm’.
What is an insider threat?
An insider threat is a person – a trusted insider – who uses their legitimate access to an organisation’s assets to cause harm. That trusted insider could be an employee, a secondee, a volunteer, a contractor, or a third-party person such as an employee in the trusted supply chain.
The insider threat act causes harm. The harmful act can be any of these examples: theft of materiel, physical damage to assets, corrupting data, stealing intellectual property, sabotage, or leaking confidential information. The measure of the harm is known as the consequence, which could be financial loss, impaired operations, loss of confidence and trust, physical or psychological harm to people, or perhaps damage to the organisation’s reputation.
Sometimes the consequence can be expressed in terms of money, however, in many cases of insider threat actions, the consequences include harms to people which may not be visible, or not visible for quite some time after the event, and so ‘people harms’ are often not accounted for in the final tally of the damage that has been caused.
Insider threats rarely occur without precursors, that is, events and behaviours over a preceding period that become drivers, shaping the attitudes and behaviours of the trusted insider who changes to become an insider threat. These precursors can be visible if they are being looked for. If the precursors are seen, they can be acted upon, potentially mitigating a possible insider threat act.
Insider threat behaviour is often influenced by workplace culture, which includes the behaviour of leaders who model and enable behaviour and standards. Behaviours in the workplace can be a driver for people to become insider threats.
Another insider threat case: NSW ambulance contractor convicted for selling employee data
Insider threats are not hypothetical. The following example, also from the ambulance sector, highlights how a trusted contractor in a health service environment exploited their legitimate access to sensitive information, demonstrating the real and recurring nature of insider threats in critical frontline organisations like ambulance services.
Between 14 January and 1 February 2013, Waqar Malik, an injury management coordinator contracted by NSW Ambulance, unlawfully accessed and sold the workers’ compensation files of approximately 130 current and former employees to personal injury law firms. These files contained sensitive medical records, including psychiatric assessments and injury details. Malik was convicted in 2016 for unlawfully disclosing personal information.
In November 2017, a class action lawsuit was initiated by the affected NSW Ambulance employees, alleging breaches of confidence, contract, and privacy. The lawsuit was settled in December 2019 for $275,000.
This case underscores the serious legal and financial implications of insider threats, where a trusted individual exploits legitimate access for unauthorised purposes, and highlights the importance of robust access controls, behavioural monitoring, and routine audits, as well as comprehensive workforce screening for employees and contractors alike, to detect and deter the misuse of sensitive data.
What else has been happening in Ambulance Victoria?
Returning to Ambulance Victoria, it is important to consider what environmental or cultural factors may have contributed to the March 2025 incident. As context for this insider threat event, what public reporting has there been that indicates the workplace culture at Ambulance Victoria? Here are three reports which can inform our view on the workplace culture.
In September 2024, Ambulance Victoria and the Union representing its employees struck a deal to deliver pay rises and better working conditions following more than a year of negotiations. Victoria’s ambulance service had been locked in pay dispute discussions with the state government for 18 months, and the union had passed a vote of no-confidence in Ambulance Victoria Chief Executive Jane Miller in July 2024. The agreement also comprised more than 80 improvements to working conditions, including better meal break provisions and the right to disconnect.
In July 2024, six Ambulance Victoria staff were stood down. They were accused of committing fraud. The allegation is that up to six staff members from the Ambulance Victoria payroll team claimed more than $3.5 million in overtime for work they did not do. Ambulance Victoria confirmed the allegations were raised directly with its Chief Executive by an employee in early 2023, with the matter then referred to Victoria’s Independent Broad-based Anti-corruption Commission and subject to an internal investigation. The union representing the accused claimed that Ambulance Victoria senior leaders leaked the information to the media, ahead of the conclusion of the review, which the union cites is a malicious act.
While this case did not involve the misuse of sensitive personal data, it nevertheless represents a form of insider threat, specifically insider fraud, in which trusted employees allegedly exploited their access to internal systems for personal gain, resulting in significant financial harm to the organisation.
In November 2021, the head of Ambulance Victoria apologised unreservedly, and committed to make fundamental changes at the organisation, after employees spoke out about an unsafe workplace culture marred by disrespect, bullying and sexism. Of the employees who contributed to a Victorian Equal Opportunity and Human Rights Commission report into Ambulance Victoria, roughly half said they had experienced discrimination and bullying while on the job.
While often treated as a workplace culture issue, bullying – particularly when persistent and perpetrated by someone in a position of trust – can also be considered a form of insider threat, given the psychological harm and erosion of organisational integrity it can cause.
The Victorian Equal Opportunity and Human Rights Commissioner said Ambulance Victoria’s public apology to its staff was a “fundamental piece” of the path towards fixing the issues raised in the report.
“There has sort of been a lack of reporting … because people haven’t felt that it was going to make a difference, or they didn’t want to be singled out,” they said.
In the Commission’s report, excerpts from participant interviews highlighted key areas of concern. Comments included the following:
- “This organisation’s culture is unsafe for people who are not white males.”
- “You’ve got to be aggressive and alpha and mean and rude.”
- Another employee noted they had “never come across a collective who were so routinely disrespectful to their colleagues.”
- One employee said their job was ‘doomed‘ after raising a sexual harassment complaint.
The Commission’s report noted there had been a “loss of faith” in the organisational values of Ambulance Victoria due to “the failure of some leaders and managers to model appropriate conduct and to hold individuals consistently to account” for doing the wrong thing. The report also noted that 33 respondents said they had experienced requests or pressure for sex or other sexual acts, and 12 respondents said they had been subjected to actual or attempted rape or sexual assault while at Ambulance Victoria. The report also found that one quarter of the state’s ambulance officers are suffering psychological distress.
The Victorian Equal Opportunity and Human Rights Commissioner said Ambulance Victoria’s public apology to its staff was a “fundamental piece” of the path towards fixing the issues raised in the report.
What do these reports indicate about the culture of Ambulance Victoria?
These three examples, spanning 2022 to 2024 and occurring ahead of the March 2025 insider threat event, indicate that the workplace culture at Ambulance Victoria was not conducive to a positive staff culture – which is essential to achieving a strong security culture. This unhealthy culture, coupled with ongoing criticisms by employees of Ambulance Victoria’s leadership performance and behaviours, provided fertile ground for staff disgruntlement – a known driver of inappropriate workplace behaviour, including insider threat acts. Disgruntlement is known to be a key driver along the pathway to becoming an insider threat.
With respect to the March 2025 ‘rogue member’ being able to undertake unauthorised access to data on their last day of employment, an effective insider threat program could have identified this risk. The Pentagram team is aware of insider threat programs that utilise ICT-based monitoring tools that can detect aberrant online behaviour, often before a person lodges their resignation, based on notable changes in their online behaviour.
It is very likely that this Ambulance Victoria ‘rogue member’ exhibited behaviours, either online, in their interactions with colleagues, or both, that an effective insider threat program could have detected. Once aberrant behaviour is identified, then an insider threat program is designed to enable decision-making on the formal course of action to be taken with respect to the person.
Early detection creates an opportunity to mitigate the potential for harmful action by assisting the person, where possible, so they do not progress to becoming an insider threat. This approach reflects a commitment to staff wellbeing aligned to workplace health and safety principles.
Beyond this, in circumstances where the person’s response to intervention or other actions is not cooperative, there is also the option to remove the person from the workplace, which is of course another valid way to mitigate the risk. This approach could also prevent harm to the person, their colleagues, and to the organisation’s stakeholders and clients.
An effective insider threat program is designed with the necessary features to make either of these approaches formal, private, legal, and proportionate to the level of risk posed to the organisation and to its people.
What is the message to take away?
As shown during the COVID-19 pandemic, the job of an ambulance officer is highly demanding. The Australian community desperately needs people who are willing to serve as emergency medical first responders and are able to operate in highly unpredictable and fast-moving situations, often facing physical and psychological risk in the course of their duties.
The importance of the ambulance officer is critical because people’s lives depend on them being available and timely so there are clearly great stressors in the job. But even these highly trained and motivated professionals need strong positive leadership that models acceptable behaviours, a supportive workplace culture, and clear education about security in the workplace, all of which help to ensure they can be safe and effective in their roles.
An insider threat program is a key organisational capability that helps shape and maintain a secure workplace. It is valuable to any organisation, in part because it makes clear what behaviours are acceptable and unacceptable giving people the confidence to speak up about behaviours and attitudes they see and become aware of.
If the workplace culture had been better, perhaps the ‘rogue member’ would not have stolen all that data on their last day of work, or a colleague would have detected changes in their behaviour or attitudes earlier and acted, utilising an insider threat program, if one was in place at Ambulance Victoria, to mitigate the risk of harm.
At the heart of every insider threat is a person – and at the heart of every solution must be a workplace that values, supports, and protects its people. For organisations like Ambulance Victoria, building a mature insider threat capability is essential to protecting staff, restoring trust, and preventing future harm.
The insider threat is a person, and so a ‘people-based’ mitigation approach remains the most effective solution.