An insider threat incident at Canberra Hospital in May 2025 reveals critical lessons for CIRMP compliance and personnel security under the Security of Critical Infrastructure Act 2018.
An insider threat is a person who uses their legitimate access to an organisation’s assets to cause harm. Harm may be caused intentionally or unintentionally, but the consequence of the harm does not differ based on intent.
Harms may befall the organisation, such as reputational damage, or may befall an employee, such as psychosocial damage, or may befall a stakeholder, such as a client’s personal information being stolen.
Insider threat events that cause harms include theft, inappropriate workplace behaviour, misuse of assets, unauthorised access to private information, sabotage, or misuse of the IT system. And it is this last point that we will take to look at in the context of a recent insider threat event in Australia.
In May 2025, Australian media reported that a Canberra Hospital employee allegedly stalked and threatened a colleague.
Police allege the male employee, a cleaner, used the Canberra Hospital’s IT systems to send harassing messages and death threats to a female employee between April and May 2025.
It is also alleged the male employee followed the female employee while she was working, including to areas of the hospital where he had no legitimate reason to be in.
The man was arrested and faced court. The court heard evidence that the man had an “obsession” with the female colleague that escalated to harassment when she showed no interest in him.
In court there was evidence tended that the man said in a message to the woman “I will kill you one day”.
The court heard that the man’s employment at the hospital has now ceased.
This is a case of insider threat. The male employee used Canberra Hospitals’ IT system to send threatening messages. Further, based on the media reporting, it appears the man misused his hospital access to follow the female to places in the hospital that he was not legitimately required to access – he used his access inappropriately.
Under the Australian Government’s Security of Critical Infrastructure Act 2018 (SOCI Act), Canberra Hospital is classified as a ‘critical hospital’. With this classification, Canberra Hospital is required to have a Critical Infrastructure Risk Management Program (CIRMP), which identifies assets, threats, and relevant risks to the hospital’s assets and operations. One of the four types of hazard (or threats) that the CIRMP mandates for consideration and mitigation is personnel security, and within that the hospital should have an insider threat program.
Pentagram does not know if the Canberra Hospital has an insider threat program but if it does, and it is effective, it may well have been the mechanism through which the man’s aberrant behaviour and inappropriate IT use were detected. Of course, it is possible the man’s behaviour may have been alerted by the victim. In either case, part of an insider threat program would be to analyse how the harm occurred, determine if there is remedial action that could be taken to prevent future such incidents, and to establish data collection to review the effectiveness of mitigations that had been put in place to prevent further such events.
This case also presents an opportunity to reflect on several broader considerations for critical infrastructure entities:
- Detection and response: While media reports do not detail how the insider threat was initially detected, insider threat programs typically incorporate mechanisms for identifying early warning signs – such as unusual IT activity, access pattern anomalies, or concerning behaviour reported by colleagues. These mechanisms can enable intervention before harm escalates.
- CIRMP and compliance lessons: Canberra Hospital’s classification as a critical hospital brings with it an obligation to maintain a CIRMP that addresses personnel security hazards. Lessons for other critical infrastructure entities include the importance of access control monitoring, regular behavioural risk assessments, and having clear pathways for reporting and escalating concerning behaviour.
- Culture and prevention: Insider threat programs are most effective when paired with a strong organisational culture that promotes trust and psychological safety. Encouraging staff to speak up and providing them training to recognise and report potential issues are an important component of a preventive approach.
By examining this incident at Canberra Hospital, critical infrastructure operators in any sector can assess the maturity of their insider threat programs and make improvements that protect both people and operations.
An insider threat program is not a security ‘stick’ but rather is an approach that affords protection to employees, clients, stakeholders and the successful ongoing operation of the enterprise it helps to protect. An insider threat program aligns with the duty-of-care concept embedded in workplace health and safety legislation and policies, which makes it good for people and good for business.