Class action looming from data breach at Genea

August 11, 2025 |

Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

One of Australia’s largest IVF providers has sought to suppress how sensitive medical and personal information for potentially thousands of its patients was published to the dark web by cybercriminals, as victims seek to launch a class action.

Genea, the country’s third-biggest fertility clinic operator, informed an undisclosed number of patients that their private information had been published on the dark web in February after its internal systems were breached.

Stolen data included patients’ full names, dates of birth, addresses, mobile numbers, treating doctors, medical diagnoses, Medicare numbers and private health fund details, Genea revealed to patients in emails.

Australian Federal Police are conducting a criminal investigation into the breach.

Genea has sought suppression orders in the Federal Court to prevent disclosure of details regarding its containment and remediation measures and its negotiation strategy, and the identities of its cybersecurity experts.

Class action law firm Phi Finney McDonald is investigating the circumstances of the data breach after being contacted by several distressed current and former patients.

Principal lawyer Tania Noonan said: “Patients at Genea are entitled to the highest levels of privacy and safety to ensure their personal details and medical histories remain secure.”

One Genea patient, Dean*, described the breach as “emotionally devastating”. He wishes to join a potential class action and wants punitive action taken against Genea.

“If I could think about any part of my life that I would not want to be available to download on the dark web, it would be my medical information and more poignantly, my fertility information.”

It’s made me feel really icky to know that … our entire medical and fertility history is available to purchase by anyone who wants it,” he said.

In a statement, Genea said it sincerely apologised and deeply regretted that personal information was accessed and published.

“We are committed to learning from this incident, and we have taken steps to further strengthen our networks to ensure that we can continue to provide the very best care to our patients,” it read.

Genea obtained an injunction to prevent any access, use, dissemination or publication of the affected data, to protect the information of its patients, their partners, and staff.

In a hearing last month, Genea’s counsel argued that if the company’s containment and remediation measures were made public, it would invite hackers to exploit its systems further.

NSW Supreme Court Justice Michael Slattery agreed that it was important to suppress personal and medical information of affected patients.

But, Slattery said: “There is a public interest in knowing about this kind of problem and … how it is dealt with.

”I’m not convinced that information [about] your clients, employees or your client’s internal operations should be suppressed,” the judge said. “I’m not convinced that the identity of the cybersecurity experts you have retained … [and] that your containment or remediation measures should be suppressed.”

Genea breach timeline

    • February 19, 2025

      Genea emailed patients advising them it was urgently investigating a cyber incident after identifying suspicious activity on its network, and that it had taken immediate steps as soon as the breach was detected.

    • February 24, 2025

      Genea publicly said it was investigating a data breach, saying its patient management systems had been accessed by a third party. It was then unknown what personal or health information had been compromised. The type of information contained in those systems included names, home addresses, medical history, Medicare information, diagnosis and treatments, medications and diagnostic results.

    • February 26, 2025

      Genea reported that the data appeared to have been published on the dark web by a threat actor. The company obtained a court-ordered interim injunction to prohibit access to, use of, dissemination, or publication of the data. The interim injunction was granted for one month.

    • March 10, 2025

      Genea said it was continuing its investigations into the breach, and that it would advise affected patients that the data had been published on the dark web.

    • July 3, 2025

      Genea said that it had concluded its investigations and had identified which individuals were affected.

    • From July 28, 2025 onwards

      Genea sent a mass email informing victims of the breach (including patients and partners) about the information being published to the dark web.

    • July 24, 2025

      The Supreme Court of NSW granted Genea an injunction concerning the publication of the exfiltrated data.

    • August 7, 2025

      Class action law firm Phi Finney McDonald is investigating the circumstances of the data breach of Genea’s IT network, and potential claims that may be available to impacted patients against Genea as a result  of the breach.

“I may be persuaded that your negotiation strategy with the threat actor should be suppressed if there’s evidence that there are ongoing negotiations,” Slattery said.

The suppression orders, directed at the hackers, are supposed to stop them from disseminating the information they stole.

But since Genea doesn’t know who they are – and cannot tell them that the order exists – such an order is intended to prevent other people from downloading the information and sharing it, and has been used in earlier cases of cyber breaches.

Former patient Daisy* said patients had a right to know what measures Genea had in place to protect their patients’ information and the actions it took once the breach was identified.

“Why aren’t we able to know whether or not they had the right security in place to protect our personal and sensitive information?” the 34-year-old said.

“You go somewhere like this, never thinking your information would be released,” she said. “I’ve spoken to so many women who have said, ‘I have chosen not to share our IVF journey’.”

Two patients affected by the breach are now considering moving homes due to the sensitive nature of their work and the danger posed by having their address and other personal information shared on the dark web, where criminal actors can access it.

Josie*, another patient wishing to join a potential class action, had undergone extensive treatment with Genea over four years.

“They will have a huge amount of information, genetic test [information], various medical tests, [and] sociodemographic information,” she said.

“There will be children who have been born using donor eggs, donor sperm or donor embryos – and all of that information will presumably be out there. So it’s not just information about the parents involved.”

Genea has established a call centre to support patients whose data had been breached.

The Nine story provides:

A young Sydney couple say they have been “forced” into making the heartbreaking decision to remove their embryos from storage after their medical information was leaked by one of Australia’s leading IVF clinics.

Dozens of patients have filed a class action lawsuit against Genea after a major data breach earlier this year, which resulted in sensitive and personal information being published on the dark web.

Genea refuse to say how many patients were hit by the February leak with patients still being notified this week that their data was published.

Mark Thompson and his wife Tara are two of the patients eager to sue Genea over the breach after Tara’s diagnosis and treatment history were published to the dark web.

The couple have told Genea they want to remove their embryos from storage due to further privacy fears – robbing them of their hopes of expanding their family.

He said the cycle to create the embryos cost the couple about $14,000.

Speaking to news.com.au, Mr Thompson said they made the difficult decision after months of silence from Genea since the data breach.

Patients of Genea are still being notified that their data was leaked in the February breach. Picture: Supplied
The information has been sold to the dark web, Genea said. Picture: Supplied
The information has been sold to the dark web, Genea said. Picture: Supplied
 
Genea still refuses to say how many patients were hit by the breach. Picture: Supplied
 

He said that since informing Genea of their decision, they have been met with silence – with the company continuing to take out the monthly fee for the storage.

“I’ve told them directly that I’ll be taking my eggs out of storage and waiting on some sort of acknowledgment of that just that statement, and I’ve still got nothing,” Mr Thompson said.

“How can you, in a situation like this, continue to charge for this egg storage, but you’re not telling me anything about this data breach.”

The Thompsons are the latest heartbreaking story to come out of the Genea data breach.

Sydney woman Aleks James told news.com.au she spent about $250,000 with Genea over the course of a decade, with all of her cycles unsuccessful.

In July, she was sent an email telling her that her data have been leaked – before receiving another email last week, detailing that even more of her details had been published to the dark web.

“We had closed that chapter of our lives…all my pregnancies were unsuccessful and now it’s reopened those wounds,” she said.

“You’re just saying to me that my whole information has been sold on the black market somewhere and there is no explanation on how?”

In June, one man who had donated sperm to his close friends through Genea spoke to SBS News about having his data posted on the dark web.

“It was supposed to be a good deed. It’s almost like you’re being punished because your information was held on a computer system,” he told SBS News.

”I don’t know what the next step is, but having some information about what the f**k is happening is probably a good bloody step.”

Aussie journalist Alex Bruce-Smith also wrote about her data being leaked after deciding to freeze her eggs with Genea.

 

“My reasons were boring (in my early 30s and single) and the results were decent,” she wrote in Pedestrian.

“Every single thing I spoke to a doctor about while freezing my eggs is now available for someone else to read. My medications, my fertility concerns, my hopes for the future. I’m a fairly open person, and even that makes me squirm.”

Class action

Singleton father Matthew Maher is one of the affected patients who is leading the charge for a class action lawsuit against Genea.

Mr Maher has been in touch with both Slater and Gordan and Maurice Blackburn, who said they are looking into the matter.

“I have told [Genea] if there is a class action or a claim of compensation, I’ll be the first to sign up,” he said.

A spokesman for Genea told news.com.au the company would still not be revealing how many patients have been affected by the breach.

“We deeply regret that personal information was accessed and published and sincerely apologise for any concern this incident may have caused,” the spokesman said.

8 Responses to “Class action looming from data breach at Genea”

  1. Merlin August 11th, 2025

    Would be interested to know is class action happening as I’m one of the customers who’s affected.

  2. Peter Clarke August 11th, 2025

    It looks like it is happening. The question is which firm or firms will be representing the plaintiffs. It looks like proceedings have not been issued as yet. Check out the websites of the various firms listed in the articles.

  3. Cathy August 12th, 2025

    Very interested in joining the class action. My partner and I are impacted with all our personal health information on the dark Web. I’m angry and dissapointed. We spent thousands on 4 cycles of IVF and countless operations I needed before the cycles due to health related issues. This is ALL on the dark Web now.

  4. Dijaana August 13th, 2025

    I received an email from Genea this week. Phoned them the same day still no phone call back from them.
    This relates back to 2017 and 2020

  5. Peter Clarke August 18th, 2025

    That is a familiar experience. Genea is doing the bare minimum and no more.

  6. Peter Clarke August 18th, 2025

    In the articles I referred to in my posts the various law firms have been listed. I suggest you make contact.

  7. Alison September 3rd, 2025

    I would like to join any class action lawsuit. Please contact me if this goes ahead.

  8. Peter Clarke September 5th, 2025

    I suggest you contact Maurice Blackburn and Slater and Gordon who both said they were investigating. I am a barrister so don’t organise the class action filings. I am involved when the claims are filed in court.

Leave a Reply