Genea, an IVF provider, suffers a significant data breach.

February 19, 2025 |

Genea is a large IVF provider has suffered a cyber attack. Today publicly announced that it has been the subject of a cyber attack. The statement, 19 February 2025: Important update about a cyber incident, is a model of saying precious little.

It provides:

Genea is urgently investigating a cyber incident after identifying suspicious activity on our network. As soon as we detected the incident, we took immediate steps to contain the incident and secure our systems. 
 
Out of an abundance of caution, this included taking some of our systems and servers offline while we investigated the incident. These are now being restored while we continue our investigation.
 
Our ongoing investigation has identified that an unauthorised third party has accessed Genea data. We are urgently investigating the nature and extent of data that has been accessed and the extent to which it contains personal information.
 
We acknowledge the importance that people place on their information, especially in this current environment. We are committed to keeping you updated as we learn more.

Are Genea clinics still open and treatments being provided?

We are working hard to ensure that there is minimal disruption to treatment being provided to our patients. If you do not hear from your local Genea clinic, there is no change to your current treatment schedule.
 

What should I do?We will communicate with relevant individuals if our investigation identifies any evidence that their personal information has been impacted.

We sincerely apologise for any concern this incident may cause and want to reassure patients that we take your privacy and the security of your data very seriously.
 
We also want to reassure you that our teams of specialists, nurses and office support staff are working tirelessly to ensure that there is minimal disruption to your treatment, which is of our utmost priority and importance.
 

Need to get in touch?

If you have any further questions, please email cyber@genea.com.au.

The statement is more about appearing to provide information while not doing any such thing.  There are no details of when the attack occurred, when it was detected, what data was accessed. The ABC’s sleuthing partially filled in those gaps.  The ABC suggests the attack occurred sometime on the weekend when Genea’s phone line went down (which it announced on 14 February – last Saturday) and its app was unusable and patients started posting on Genea’s Instagram account. It claims to be investigating the extent to which personal information has been accessed.  That is improbable.  If it is accurate then the resources it is deploying to determine whether personal information accessed is inadequate.  So Genea’s vague say not much media release is less than helpful.  IVF patients have a very strong interest in using the digital resources of Genea, are very proactive and many are quite sophisticated.  So throwing a digital blanket over a serious breach is a poor way of managing a crisis.  The reluctance by Genea to be more open may expose it to more media coverage. 

Given the nature of the treatment provided and the likelihood that very sensitive personal information was stored in Genea’s records it is almost certainly a notifiable data breach. 

The story has been reported in the Age with ‘Urgently investigating’: IVF giant rocked by data breach and by the ABC in Major Australian IVF clinic Genea ‘urgently investigating’ cyber incident.

The Age article provides:

One of Australia’s largest IVF providers is urgently investigating a cyberattack that may have exposed the data of thousands of families and expectant parents.

Genea chief executive Tim Yeoh told past and present patients on Wednesday that the company had taken some of its systems and servers offline after it identified suspicious activity on its network.

“We are urgently investigating the nature and extent of data that has been accessed and the extent to which it contains personal information,” Yeoh said.

Yeoh said the company was working hard to prevent disruption to treatment being provided to patients.

“If you do not hear from your local Genea clinic, there is no change to your current treatment schedule,” he said.

“We sincerely apologise for any concern this incident may cause you and want to reassure you that we take your privacy and the security of your data very seriously.”

The announcement came five days after Genea reported a phone outage at some of its clinics. A notice on the company’s website indicated the outage was still an issue on Wednesday afternoon.

In a statement, a Genea spokesperson said the company had engaged cyber experts to assist in the investigation and was liaising with the Australian Cyber Security Centre.“Our investigation is ongoing and we will communicate with any affected individuals if our investigation identifies any evidence that their personal information has been impacted, consistent with our legal and regulatory obligations,” the spokesperson said.

Under Australian privacy law, unauthorised access or disclosure of personal information must be reported to the Office of the Australian Information Commissioner within 30 days if it is “likely to result in serious harm to one or more individuals”.

A Department of Home Affairs spokesperson said the National Office of Cyber Security was aware of the breach and was ready to assist Genea if needed.

Genea is one of Australia’s three largest IVF providers, operating 21 clinics nationally. The company came under fire in 2019 after patients were artificially inseminated with ineffective sperm costing thousands of dollars but offering no real chance of conception.

Last year, several families spoke out against the company on the ABC’s Four Corners program after their embryos became contaminated at Genea’s state-funded clinic at Sydney’s Royal Prince Alfred hospital.

The ABC story provides:

A major IVF provider used by tens of thousands of patients has confirmed an “unauthorised third party” has accessed its data, five days after its phone lines went down and patients were left concerned their treatment could be affected.

After enquiries from the ABC, a spokesperson for Genea confirmed on Wednesday afternoon the company was “urgently investigating a cyber incident after identifying suspicious activity” on the network.

“As soon as we detected the incident, we took immediate steps to contain the incident and secure our systems,” they said

“We have since engaged cyber experts to assist us with our response and investigation and we are liaising with the Australian Cyber Security Centre.”

The spokesperson said the company was working to ensure there was minimal disruption to treatment being provided to patients.

IVF treatment can cost in excess of $12,000 per cycle and timing is critical to ensure blood tests are taken, medication administered, eggs retrieved and embryos implanted at the correct time.

Concerned patients have been posting on Genea’s Instagram accounts since the weekend, worried the outage could affect their treatment.

“App still down. Need my blood slip. No answer on emails. Hope this delay doesn’t affect my treatment plan,” one person wrote.

“Hey I’ve tried contacting my clinic… via the email above and they still haven’t got back to me, my medications run out on Thursday, sort of a desperate situation,” wrote another.

Patients had also complained the company’s app MyGenea — which allows patients to track their cycle and view fertility data, results and forms — was unable to be used.

Genea first notified patients on February 14 that phone lines were down.

After the ABC’s initial inquiries, the company engaged external public relations firm Porter Novelli, which specialises in responding to cyber security incidents.

Later on Wednesday afternoon, at least five days after the company first became aware of the problem, Genea published a public notification and emailed patients alerting them to the incident after being made aware the ABC would run this story.

The Genea spokesperson said the company’s investigation was ongoing and did not confirm whether sensitive patient information was accessed.

“We will communicate with any affected individuals if our investigation identifies any evidence that their personal information has been impacted, consistent with our legal and regulatory obligations,” they said.

“The protection of our staff and patients’ information is our utmost priority. We apologise for any concern or inconvenience that this incident has caused and will provide patients with relevant updates as we learn more.”

 

 

Leave a Reply