Sensitive patient information has allegedly been leaked on the dark web after Genea, one of Australia’s leading IVF and fertility services providers, was hacked a fortnight ago.
The attack was allegedly carried out by the Termite ransomware group, prompting Genea to obtain a court injunction on Wednesday that criminalises access to the breached patient data.
Guardian Australia has seen screenshots posted online by cybersecurity experts who monitor the dark web that appear to show a sample of the breached data.
In a statement, Genea said: “Our ongoing investigation has established that on the 26 of February, data taken from our systems appears to have been published externally by the threat actor.”
“We understand that this development may be concerning for our patients for which we unreservedly apologise.”
Sensitive information including contact details, Medicare card numbers, medical histories, test results and medications may have been compromised in the data breach, Genea said, and it was “working to understand precisely what data has been published”.
The court order reveals the alleged attackers were in Genea’s network for over two weeks before being detected starting from 31 January, and on 14 February extracted 940.7GB of data from Genea’s systems.
The company initially advised patients of the suspected data breach on Friday 21 February, and did not reveal the extent of the attack until the following Monday.
Patients have not been informed what, if any, of their own personal information has been taken.
But in an email sent to customers, Genea’s chief executive, Tim Yeoh, revealed information in the patient management systems accessed included full names and dates of birth, emails, addresses, phone numbers, Medicare card numbers, private health insurance details, medical histories, diagnoses and treatments, medications and prescriptions, test results, notes from doctors and emergency contacts.
Yeoh said at that stage there was no evidence that financial information such as credit card details or bank account numbers had been compromised, but the investigation was ongoing.
Genea operates fertility clinics in all states and territories excluding the Northern Territory. It provides genetic testing, egg and sperm freezing, fertility testing and treatments including IVF.
“We have obtained this injunction as part of our commitment to the protection of our patients, staff and partners’ information, and taking all reasonable steps in response to this incident to protect the impacted data and those most vulnerable,” Genea said in a statement on its website.
“We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.”
In 2022, the latest year for which data is available, one in 17 babies born in Australia involved assisted reproductive technologies. There were 108,913 ART treatment cycles in total.
Network technology company Broadcom said in a memo issued in November last year that Termite had targeted a wide range of countries and sectors, including in France, Canada, Germany, Oman and the US. The sectors included government agencies, education, disability support services, oil and gas, water treatment and automotive manufacturing.
Broadcom said the group’s modus operandi is unknown, but the ransomware will encrypt target files and direct victims to a dark web site to communicate on how to pay ransoms.
