Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Major Australian IVF provider Genea has notified its patients of the details of the cyber attack it suffered back in February, revealing what data was stolen by threat actors.
On 14 February, Genea revealed that it suffered a cyber attack leading to data theft, an attack that was quickly claimed by the Termite ransomware group.
While Genea had confirmed that data was stolen, it did not clarify exactly what was stolen, other than mentioning what potential data was exfiltrated. It also received a court injunction to prevent the contents of the stolen data from being spread.
Now, five months after the incident took place, Genea has begun notifying its customers as to what data was exfiltrated in the cyber attack.
“We are not notifying you about a new incident,” said Genea CEO Tim Yeoh in a notification to customers seen by the ABC.
“Genea’s completed investigation has confirmed that personal information about you was taken and published on the dark web.”
According to the notice, the data includes patient full names, phone numbers, dates of birth, addresses, Medicare card numbers, medical diagnosis, and “clinical information related to the services that you received from Genea or other health service providers and/or medical treatment”.
However, customers have been disappointed with Genea’s response to the incident. One former customer, speaking with the ABC who had undergone multiple unsuccessful rounds of IVF with Genea over a two-year period, said that Genea appeared to be downplaying the risk created by the data being stolen.
“The publication [of the data] has occurred on a part of the dark web, which is a hidden part of the internet,” the notice said.
“The data is not readily searchable or accessible on the internet.”
Another customer said Genea should be held accountable and said they intended to see compensation.
“A lot of people chose Genea because they present themselves as personal, but except when something goes wrong, they just go quiet and close the doors and don’t talk,” she told the ABC.
“You have got no rights. The big corporation is just going to steamroll everyone.”
IVF treatment is expensive and requires specific timing. According to Genea, IVF treatment can cost between $12,395 and $13,095 per cycle, depending on the type of treatment.
Additionally, missed medication, egg retrieval, blood tests, and implanted embryos can result in an unsuccessful treatment.
Rapid7 principal threat analyst Matthew Green told Cyber Daily that the sensitive nature of medical data means it can be incredibly effective against consumers.
“Malicious actors can exploit medical data in various ways, including identity theft, insurance fraud, and blackmail. Unlike financial data, which has a limited shelf life because it is relatively easy to change, leaked medical records are permanent and therefore hold long-term value,” Green said.
“Medical records from specialised clinics, such as IVF, are highly prized by cyber criminals for their mix of medical and personal data. This data can fuel targeted scams, such as tailored phishing emails or identity theft, and supports direct extortion by threatening to expose sensitive conditions, exploiting victims’ emotions and finances. Often linked to patients perceived as affluent due to costly treatments, these records can fetch high prices on the black market, making them a lucrative target over more generic breaches.”
Almost half a year after the breach, Genea still has not disclosed the full nature or scope of the incident, including how many people were affected.
Speaking with the ABC, cyber security expert Richard Buckland said Genea’s delay in notifying customers is disappointing.
“It is deeply disappointing that the company has waited until the information has been published before telling affected customers what had been stolen,” he said.
“I challenge business leaders to put the welfare of their customers first ahead of their concerns about bad publicity.”
Be the first to hear the latest developments in the cyber industry.
