Australian IVF data breach after cyber-attack

A cyber-attack on the Australian IVF provider Genea has led to a data breach of their patient management systems.

Genea is the third largest fertility specialist in Australia, with clinics in multiple cities across the country. Reports stated that 700 GB of data, collected over a period of six years, had been stolen from their patient data system. The information within this system included personal details such as date of birth and residential address alongside medical history and test results. It did not include any financial information, such as credit card numbers. The ransomware group that coordinated the attack posted screenshots of the patient information data to the dark web. The group has not revealed what they plan to do with the data.

'Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent a reoccurrence,' Genea said in a statement sent to patients. 'This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.'

Suspicious activity was detected within Genea's network on 14 February, with patients notified ten days later. An additional update detailing the procurement of an injunction was sent to patients on 26 February. This prohibited the distribution of Genea patient data by law. It was at this time that patients were informed that some of their data had been published online. Investigations are ongoing to determine the extent of data that were taken by the ransomware group. Genea has urged clients to be vigilant to other attempts related to identity theft, such as suspicious emails or text messages. The uncertainty caused by the attack has been felt by both Genea and their patients.

'The information that was stolen is profoundly private and sensitive. I feel like my personal safety could be at risk. I'm so angry at Genea,' said an anonymous patient, in an interview with ABC News. 'People undergoing fertility treatment are vulnerable, particularly to negative mental health impacts. Genea knows this but hasn't offered any additional mental health care or resources to help their patients through the cyber-attack.'

The sensitivity of data stored in patient information systems makes healthcare centres a popular target for ransomware attacks. IVF clinics have a growing share of the healthcare industry in Australia, as the service has been on the rise over the past decade. Currently, around one in 18 babies born in Australia were conceived through IVF. Many components of IVF require patients to receive procedures at strict time intervals. Patient services at Genea were impacted during the cyber-attack; phone lines and emails at their clinics had outages.

Genea reported that staff are working to ensure disruption is minimal, and that fertility services can continue as normal.