Patient information from the Genea data breach posted on the dark web..

February 27, 2025 |

Exactly a week ago I posted on the Genea data breach and raised concerns about the way it was handling the matter. The public statement was dreadful and it was clear from the subsquent reporting that it was keeping a lot of information away from the public eye. Information that is commonly provided by US companies when they suffer data breaches. That dreadful approach has given way to a much more expansive attitude with a long statement on 24 February 2025 and notice of an injunction yesterday.

The Genea statement of 24 February provides:

We are endeavouring to communicate with all current and former Genea patients the latest updates of our investigation into the incident. A copy of our communication is included below.
 
Thank you for your patience as we investigate the cyber incident that has impacted our organisation (Genea Pty Limited). We understand that hearing about an incident like this can cause concern and we sincerely apologise for this. We want to reassure you that our teams of specialists, nurses, scientists and support staff are working tirelessly to minimise any impact to the treatment of our patients which is always our highest priority. Our technology teams have also been working around the clock with cyber security professionals to securely restore our systems while progressing our investigation.
 
We are committed to doing all we can to protect your privacy. In this letter, we’ll step you through what happened, what types of personal information relating to you may have been involved in the incident and identify clear steps you can take to help ensure your information is protected.

What has happened?

On 14 February 2025, we became aware of suspicious activity on our network. Following this, we promptly launched an investigation to determine the nature and scope of the activity. In the course of these investigations, Genea discovered that it had been impacted by a cyber security breach.  
 
Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent reoccurrence. This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.
 
We advised in our prior communication that we were continuing to investigate the nature and extent of data that had been accessed and the extent to which it contained personal information. As a result of our ongoing investigation, we now believe the attacker may have accessed and taken personal information which we hold.
 
We have notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre of the incident. We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.
 
Our investigation is ongoing, and we will continue to communicate any relevant updates you.
 

What personal information has been impacted?

Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party. We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised. However, the folders on the patient management system include the following types of your information:  

 
Full names, Emails, Addresses, Phone Numbers, Medicare Card Numbers, Private Health Insurance Details, Defence DA number, Medical Record Numbers, Patient Numbers, Date of Birth, Medical History, Diagnoses and Treatments, Medications and Prescriptions, Patient Health Questionnaire, Pathology and Diagnostic Test Results, Notes from Doctors and Specialists, Appointment Details and Schedules, Emergency Contacts and Next of Kin, although the information differs for different individuals. 
 
At this stage there is no evidence that any financial information such as credit card details or bank account numbers have been impacted by this incident. The investigation is however ongoing, and we will keep you updated of any relevant further findings should they come to light.
 

Support available to you

We know that an incident like this is concerning and as part of our support to you we would like to offer you the support of a specialist provider, IDCARE, who can work with you to safeguard your personal information without any charge to you.
 
IDCARE Case Managers are available Monday to Friday from 9am to 5pm (AEDT) and a preferred time can be booked online via their Individual Get Help Form at https://www.idcare.org/contact/get-help#form or by calling 1800 595 160. To get our dedicated Genea referral code, please email cyber@genea.com.au.
 

Additional recommendations for you 

While we are undertaking a full assessment of the incident and taking all necessary precautions to mitigate any risk of harm, we recommend that you: 
 
    1. Be extra careful about opening any suspicious emails, texts or phone calls, or any possible attempts to contact you from people or organisations you don’t know.  
    2. Remain vigilant as to any other attempts that might relate to possible identity theft or fraud using your personal information.
    3. Visit the Australian Cyber Security Centre website or the ACCC’s Scamwatch for further information about online safety, cyber security and other helpful tips.
We deeply regret that your personal information may have been accessed by reason of this incident and sincerely apologise for any concern this incident may have caused. Our teams of specialists, nurses and office support staff are working tirelessly to ensure that there is minimal disruption to your treatment, which is of our utmost priority and importance.
 
If you have any further questions or would like further information, please email cyber@genea.com.au.
 
A lot of the above should have been included in the first statement. There is still a lot of meaningless palaver in the above statement, but PR types like that.  I am not sure the public is so taken in.  What organisations fail to appreciate is that people hate being left waiting for proper news when it comes to their information.  They appreciate that not everything can be provided but they don’t like being told to be patient.
 
Yesterday’s statement was no doubt a response to the patient data being uploaded onto the dark web.  It provides:
 
Our ongoing investigation has established that on the 26 of February, data taken from our systems appears to have been published externally by the threat actor. We understand that this development may be concerning for our patients for which we unreservedly apologise.
 
To as best as possible safeguard our patients and our team, Genea has taken several steps ahead of and following the publication of this data, including:
    • Obtaining a court-ordered injunction to prohibit any access, use, dissemination or publication of the impacted data by the threat actor and any third party.
    • Working to understand precisely what data has been published.
    • Ensuring that our support package is available to those impacted by this incident. This includes the support of IDCARE, Australia’s national identity and cyber support service.
We are continuing to engage with the Office of the Australian Information Commissioner and the Australian Cyber Security Centre in relation to this incident. 
 
If you have any further questions or would like further information, please email cyber@genea.com.au.
 

Resources available for further information:

    • If you have any questions about government-issued identity document information (such as your driver licence, Medicare card or passport), please contact the agency that issued the identity document for advice.
    • Read more information about protecting yourself from identity fraud here.
    • If you have any questions related to your health or medical treatment, contact your doctor.
As of 26 February 2025, Genea has been granted a court-ordered injunction to prevent any access, use, dissemination or publication of the impacted data by the threat actor and/or any third party who receives the stolen dataset. We have obtained this injunction as part of our commitment to the protection of our patients, staff and partners’ information, and taking all reasonable steps in response to this incident to protect the impacted data and those most vulnerable. To learn more and for a copy of the injunction, click here.
 
The use of injunctive relief was first used by HWL Ebsworth in response to its disastrous data breach.  That an injunction was granted is hardly surprising.  The potential of irreparable damage was clear and that damages would not be an adequate substitute.  That said, the injunction is more about process and appearance.  Criminals care little about court orders and many will be outside the jurisdiction. Enforcement is problematic.  In any event the handling of the data and its use would almost certainly be a criminal act, such as identity theft.  But it is part of the process these days.
 
These latest developments have been reported in the Guardian with Sensitive details of Australian IVF patients posted to dark web after Genea data breach and the ABC with Patient information posted on dark web after cyber attack on IVF company Genea.
 
The Guardian article provides:

Sensitive patient information has allegedly been leaked on the dark web after Genea, one of Australia’s leading IVF and fertility services providers, was hacked a fortnight ago.

The attack was allegedly carried out by the Termite ransomware group, prompting Genea to obtain a court injunction on Wednesday that criminalises access to the breached patient data.

Guardian Australia has seen screenshots posted online by cybersecurity experts who monitor the dark web that appear to show a sample of the breached data.

In a statement, Genea said: “Our ongoing investigation has established that on the 26 of February, data taken from our systems appears to have been published externally by the threat actor.”

“We understand that this development may be concerning for our patients for which we unreservedly apologise.”

Sensitive information including contact details, Medicare card numbers, medical histories, test results and medications may have been compromised in the data breach, Genea said, and it was “working to understand precisely what data has been published”.

The court order reveals the alleged attackers were in Genea’s network for over two weeks before being detected starting from 31 January, and on 14 February extracted 940.7GB of data from Genea’s systems.

The company initially advised patients of the suspected data breach on Friday 21 February, and did not reveal the extent of the attack until the following Monday.

Patients have not been informed what, if any, of their own personal information has been taken.

But in an email sent to customers, Genea’s chief executive, Tim Yeoh, revealed information in the patient management systems accessed included full names and dates of birth, emails, addresses, phone numbers, Medicare card numbers, private health insurance details, medical histories, diagnoses and treatments, medications and prescriptions, test results, notes from doctors and emergency contacts.

Yeoh said at that stage there was no evidence that financial information such as credit card details or bank account numbers had been compromised, but the investigation was ongoing.

Genea operates fertility clinics in all states and territories excluding the Northern Territory. It provides genetic testing, egg and sperm freezing, fertility testing and treatments including IVF.

“We have obtained this injunction as part of our commitment to the protection of our patients, staff and partners’ information, and taking all reasonable steps in response to this incident to protect the impacted data and those most vulnerable,” Genea said in a statement on its website.

“We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.”

In 2022, the latest year for which data is available, one in 17 babies born in Australia involved assisted reproductive technologies. There were 108,913 ART treatment cycles in total.

Network technology company Broadcom said in a memo issued in November last year that Termite had targeted a wide range of countries and sectors, including in France, Canada, Germany, Oman and the US. The sectors included government agencies, education, disability support services, oil and gas, water treatment and automotive manufacturing.

Broadcom said the group’s modus operandi is unknown, but the ransomware will encrypt target files and direct victims to a dark web site to communicate on how to pay ransoms.

The ABC article provides:

An international ransomware group has published a sample of highly confidential patient information from major Australian IVF provider Genea, after a cyber attack forced the company to shut down its systems for days.

The group claiming responsibility, which the ABC has decided not to name, posted screenshots on dark net data leak sites on Wednesday.

The group claimed to have 700GB of data from Genea’s servers, including personal information spanning six years.

NSB Cyber director Evan Vougdis said such sample data posts were often a tactic to validate their claims and put pressure on victims to comply with ransom requests.

This is what you normally see by ransomware gangs … just to show and validate their claims of data exfiltration by showing some sample photos,”
he said.

“It isn’t uncommon for ransomware groups to post [company information] without necessarily posting all the data at the same time.”

Genea posted an update to its website on Wednesday, stating it has been granted an interim injunction in the NSW Supreme Court to prevent “any access, use, dissemination or publication of the impacted data by the threat actor and/or any third party who receives the stolen dataset”.

By mid-Wednesday afternoon, the information remained on the dark web and patients had not been emailed by Genea to inform them that personal information had been publicly posted.

Mr Vougdis said while the injunction may deter regular Australians from accessing the data, ransomware groups were unlikely to abide by NSW Supreme Court orders.

The ABC understands the ransomware group claiming to be responsible are relatively new but were behind a major supply chain cyber attack last year.

The group has not publicly posted ransom requests or threatened further leaks of the Genea data.

‘This is negligent’

Genea has been criticised for a lack of communication with affected patients who spent days struggling to get in touch with their local clinics for urgent medical enquires.

On Monday, the company wrote to patients warning their investigation had revealed that personal medical information had likely been accessed and taken by attackers.

One patient who asked not to be identified told the ABC she was devastated and frightened.

“The information that was stolen is profoundly private and sensitive. I feel like my personal safety could be at risk. I’m so angry at Genea,”
she said.

“People undergoing fertility treatment are vulnerable, particularly to negative mental health impacts. Genea knows this but hasn’t offered any additional mental health care or resources to help their patients through the cyber attack. This is negligent.”

Rebecca, a former patient of Genea, said she feared having her identity stolen.

“I’m quite anxious about it. This is not my first data breach. I was caught up in the Optus breach a few years ago,” she said.

The 41-year-old from Melbourne said she’d received two emails from Genea but wanted more information about the extent of the breach.

“The medical history you give them is so thorough. It’s not just you and your partner — they take into account parents’ fertility and siblings’ fertility.”

Clients urged to remain vigilant

In a statement, a Genea spokesperson said the company was working to understand precisely what data has been published.

“We are urgently investigating the nature and extent of the data that has been published. We apologise to our patients for any concern this latest development may cause.”

The spokesperson said Genea obtained the injunction to prohibit further spread of the impacted data and that it has support available to those impacted by the incident.

“We have also notified the Office of the Australian Information Commissioner of the latest development in this incident.”

Genea patients have been advised to remain vigilant to identity theft or fraud and be cautious of suspicious emails, texts or phone calls, or any possible attempts to contact you from people or organisations they don’t know.

Genea patients can contact cyber@genea.com.au and the government’s IDCare program by calling 1800 595 160.

Michelle McGuinness, the National Cyber Security Coordinator, said she was deeply concerned by the latest developments.

“I am coordinating a whole of Australian government response to the cyber incident that has impacted Genea. As part of this, I have met directly with Genea to help them engage the full resources of the Australian government in their response to this incident,” she said in a statement.

“No one should access stolen sensitive or personal information from the dark web — do not go looking for data. This only feeds the business model of cyber criminals.”

 
 

T

Leave a Reply