Genea finally provides some information to patients whose data was stolen in a data breach in February 2025..it seems to be something of a debacle
July 23, 2025 |
In February 2025 Genea, a large IVF clinic, suffered a significant data breach involving the theft of its patient’s personal information. I posted on the breach on 19 February 2025. I was unimpressed by the non informative statement regarding the breach. I also posted on Genea’s later activity including obtaining injunctive relief on 27 February 2025. On each of 4 and 10 March 2025 Genea provided an update, of sorts. On 4 March 2025 it confirmed that additional stolen data was published on the dark web, which was part of the original theft, and that it was “working to understand precisely what data [sic] has been published” and notifying affected patients and staff etc… It also put in the usual boiler plate about working with the Information Commissioner, the AFP, the National Cyber Security Co Ordinator and the ACSC. The 10 March update was lengthier though not much more informative. Ganea was still “undertaking a full assessment of the incident” but provided recommendations regarding possible phishing or attempts at identity theft. It also referred to the injunction it obtained and provided a link to the orders made (which is something rarely done). This injunction has followed the same approach taken by the HWL Ebsworth in obtaining injunctive relief in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71. In March 2023 the UK High Court also made granted injunctive relief against person(s) unknown in Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 762.
The latest update was on 3 July 2025 where Genea announced that it has concluded its investigation and that it is “starting to communicate directly with individuals”. Beyond stating that it has engaged IdCare the balance of the announcement is a reworking of earlier announcements.
Today news.com.au published IVF giant Genea reveals dark web data breach impacting thousands where patients and former patients claim the first time they were contacted about the data breach was last week, Friday late to be precise. The ABC also covers the story with Genea IVF confirms sensitive patient health information on dark web.
Genea has refused to provide any detail on the size of the data breach, how many patients or former patients personal information was affected. That is quite unusual but consistent with the minimalist approach Genea has adopted. It is a mistake. It has also refused to advise whether it has paid a ransom. That is less unusual if it is the case. Very few organisations admit to paying ransoms. They are not illegal payments thought failing to report them, as from 30 May 2025, to the Government is now illegal.
On the page where Genea provides updates on the cyber breach there is a pop up page which is titled “unlock your on-demand fertility webinar library” with the statement “From basics to advanced treatments, get free complete access to our webinar library from leading specialists nationwide. ” There is a tab to click onto to “register here.” It is unintentionally amusing, To some it might be seen to be in poor taste, whether intentionally or not.
Overall Genea has handed the data breach poorly. The announcements have been more about form than substance. It took 3 weeks from discovery of the data breach to advise there has been such a breach. It then spent 5 months putting itself into a position to advise people affected what personal information was stolen. That is a unaccountably and unreasonably long amount of time. BCI has focused on this in its article Why communication is as critical as cybersecurity: Genea breach. The article provides a brief accurate summary of where Genea has gone so terribly wrong in the handling of this data breach and why it is fundamental to have a coherent and transparent communications strategy. It should be mandatory reading. While communication may not mitigate or vitiate liability it will build some goodwill with those whose data has been stolen. That may reduce the numbers who want compensation. More importantly, vague and confusing or even duplicitous communication will enrage people and make it likelier they will sue.
Given the sensitivity of the personal information it is unusual that no class action has been commenced. Or at least announced. A class action is not mandatory. Individuals can bring an action. While all the facts are not publicly known, thanks partly to Genea’s preference for concealment over candour, a brief review of what is known would suggest that Genea would have some difficulty in defending a claim by someone whose personal information was stolen and then put on the dark web. Medical records are regarded as sensitive under the Privacy Act 1988 and in other equivalent legislation in the United Kingdom, Europe and America (where health records are specifically protected under the Health Insurance Portability and Accountability Act of 1996). In equity the nature of the information would likely be prima facie regarded as confidential as between the patient and Genea.
The News article provides:
Patients of one of Australia’s largest IVF clinic are furious after learning their information was published on the dark web following months of radio silence from the company.
One of Australia’s largest IVF clinics has refused to reveal how many patients had their personal information published to the dark web after its data was accessed by an “unauthorised third party”.
IVF giant Genea began emailing patients late last week letting them know they had been affected – more than five months after the breach in February 2025.
One former patient received the email at 11pm on Friday
The notification email, obtained by news.com.au, is sent from chief executive Tim Yeoh and states “personal information about you was taken and published on the dark web”.
The worst-affected patients were those in category “Annexure A” who, along with their personal identity information, had their “medical diagnosis” and “clinical information” published to the dark web.
“We deeply regret that your personal information has been accessed and published and sincerely apologise for any concern this incident may have caused you,” Mr Yeoh states in the email.
The email was sent to patients in “Annexure A” meaning multiple details were leaked.
However, Genea told news.com.au it would not be disclosing the total number of patients hit by the leak, as the crime remains “under investigation” by the AFP.
“Genea has concluded its investigation into the cyber incident which impacted our organisation in February. This included a comprehensive analysis of the data published on the dark web to identify impacted individuals and the personal information relating to them,” a statement from Genea said.
“We are now starting to communicate with individuals about the findings from our investigation that are relevant to them, and the steps and support measures in place to help them protect their personal information. Genea expects to communicate with all impacted individuals over the coming weeks.”
Patients furious over lack of communication
One former patient, who wished to remain anonymous, said she was shocked to receive an email from Genea at 11pm on Friday revealing her data had been leaked after months of silence from the clinic.
“The communication from Genea on this data breach has been appalling,” the woman told news.com.au.
“We only found out about this data breach from an email notification at 11pm on last Friday, outside of business hours and telling impacted patients there was nobody available to respond to questions and concerns until 9am on Monday.
“The fact the breach occurred in February, and we are only now being notified, five months on, for the very first time that sensitive information such as our driver’s licence, Medicare number, private health insurance number, all of which can be used for identify fraud, was stolen and is on the dark web is utterly unacceptable,” she said.
“What have they been doing for the past five months? And that isn’t the half of it. We’ve also only been notified now that detailed and highly confidential personal medical information, which could easily be used by hackers to blackmail people, has also been stolen and is on the dark web.
“It beggars’ belief that Genea even kept such sensitive information when we ceased any interaction with the company in 2013 – 12 years ago. Genea cannot claim that information was still needed for the purpose it was collected, and, as such, was legally required to have destroyed or de-identify it long before this breach even occurred,” the woman said.
Dad Matthew Maher, who only learned about the leak back in February thanks to media reports, said he received an email on Thursday night telling him his number, name, address, phone number, Medicare number and private health insurance number had all been posted to the dark web.
In February, the clinic issued a statement stating that they were “urgently” investigating the incident.
“The last couple of weeks I’ve been getting a lot of weird phone calls,” he said.
“I can’t fault Genea, we’ve got a daughter out of it, but this has just put a bad taste to it.”
Mr Maher, who last used Genea six years ago, said he had tried to chase the clinic up in recent months but had been met with silence.
“I have told them if there is a class action or a claim of compensation, I’ll be the first to sign up,” he said.
Claire Tomlin said she had spent hundreds of thousands of dollars with Genea – and was still unsure whether her data had been compromised.
She said she received two emails when the leak first occurred before the clinic “went dark”.
“I’ve had no update. They’ve got to release something,” she said.
“You are really vulnerable when [you first go to Genea]. All the stuff you have to hand over.”
Genea is one of Australia’s three largest IVF providers, with thousands of patients at clinics across the country.
One in every 18 births in Australia occurs with the help of IVF.
The ABC article provides:
Patients of Australia’s third-largest IVF provider, Genea, have been informed that their sensitive information — including medical history — has been posted on the dark web.
The update comes more than five months after the ABC revealed cyber criminals had targeted the fertility clinic, which is used by tens of thousands of people across the country.
In emails sent to affected patients over the past few days, Genea CEO Tim Yeoh confirmed the company had wrapped up its probe into the February cyber attack: “We are not notifying you about a new incident”.
“Genea’s completed investigation has confirmed that personal information about you was taken and published on the dark web.”
Emails obtained by the ABC state the data includes patients’ full names, addresses, dates of birth, and “clinical information related to the services that you received from Genea or other health service providers and/or medical treatment”.
A former Genea patient told ABC News the communications appeared to downplay the significance of the data leak.
The email claimed information was found on “a part of the dark web, which is a hidden part of the Internet” and “not readily searchable or accessible on the Internet”.
“We understand that this news may be concerning for you, and we unreservedly apologise for any distress that this may cause you,” the email stated.
The patient, who did not want to be named, had spent tens of thousands of dollars undergoing multiple unsuccessful rounds of IVF with the clinic between 2022 and 2024.
She told the ABC Genea had obtained her full medical history as part of the onboarding process.
“There is genetic information which really affects my family. There is information about mental health. It’s your whole history.
“That information could be used against you. And it could really change the course of your life.”
Genea will not confirm scope of breach or if ransom was paid
On Tuesday, Genea informed the patient her full name, phone number, address, date of birth, Medicare number, medical diagnosis and clinical information had been posted on the dark web, in an email she said was another example of the company minimising the breach.
She said companies like Genea should be held accountable for allowing customer data to be stolen and she intended to seek compensation.
“A lot of people chose Genea because they present themselves as personal, but except when something goes wrong, they just go quiet and close the doors and don’t talk,” she said.
“You have got no rights. The big corporation is just going to steamroll everyone.”
Do you know more? Confidentially email rhianawhitson297@proton.me
Genea would not confirm how many patients were affected by the breach, the name of the cybercriminal group claiming responsibility, or whether a ransom was paid — in full or in part.
Nor would the company provide a copy of the investigators’ report into the breach.
In a statement, a Genea spokesperson said the company had “concluded its investigation into the cyber incident which impacted our organisation in February”.
“This included a comprehensive analysis of the data published on the dark web to identify impacted individuals and the personal information relating to them.”
“We are now starting to communicate with individuals about the findings from our investigation that are relevant to them, and the steps and support measures in place to help them protect their personal information.
“Genea expects to communicate with all impacted individuals over the coming weeks.”
AFP investigation continues five months on from Genea attack
The company said the AFP was still investigating the cyber attack and it was working with the Office of the Australian Information Commissioner, the National Office of Cyber Security, the Australian Cyber Security Centre and relevant state departments.
The spokesperson said: “Genea has partnered with IDCARE, Australia’s national identity and cyber support service, to provide counselling and other services to patients at no cost if they wish to seek further support.”
Cybersecurity expert Richard Buckland said the data stolen made the Genea cyber attack extremely serious.
“Medical information is in the top category of sensitive information and it is shocking that it has been lost to criminals,” he said.
“It can lead to blackmail, medical fraud attacks, and shame and a loss of trust in the health system.
“IVF is deeply personal and stressful for many people and many do not choose to share that they are using IVF.
“This breach will cause personal stress to many people in a vulnerable state.”
Professor Buckland also criticised the delay in Genea notifying affected patients.
“It is deeply disappointing that the company has waited until the information has been published before telling affected customers what had been stolen,” he said.
“I challenge business leaders to put the welfare of their customers first ahead of their concerns about bad publicity.”
The data breach at Genea is one of a string of incidents affecting Australian companies in recent years including Optus, Medibank, Latitude, and, most recently, Qantas.
Like Qantas, Genea obtained a court-ordered injunction to prevent anyone from publishing or sharing the stolen data.
However, cryptography expert Vanessa Teague criticised the use of such injunctions, saying they were ineffective at stopping cyber criminals.
“It’s really effective for preventing law-abiding journalists from publishing,” she said.
Dr Teague said the publication of sensitive medical records online highlighted the urgent need for stronger privacy protections in Australia.
“It’s important to recognise that if the data has been accessed, it could have financial value — to insurance companies, to advertising companies — both of those clusters of companies.
“We need much stronger privacy laws that hold the source of the data breach accountable.”
Dr Teague said Australian companies handling personal data should face the same legal obligations as those in the European Union.
“If you hold sensitive data from other people, you should have high obligations to keep it secure — like in Europe. And if you fail in that responsibility, you should be held accountable,” she said.
She also warned that Australia’s current approach prioritised corporations over victims.
“There’s a continuing attitude that the companies are the victims. As long as we hold that view, we’ll never hold them to account.”
The BCI article, absent footnotes, provides:
In February 2025, Genea, a major Australian IVF clinic, was targeted in a cyberattack that unfolded over several weeks, exposing nearly 1TB of sensitive data, including medical records, contact details, IDs, and test results.
Patients and experts have criticised the clinic for its lack of timely and transparent communication, with one commenting, “They didn’t say anything about the data breach, just said they couldn’t go ahead with the cycle tracking this month.”
Genea became aware of unauthorised access on 31st January, but patients were not informed until 19th February—almost three weeks later. It was a further five days before the full list of stolen data was released, but by 26th February, it was already on the dark web.
The delay in notifying patients from when the breach was initially detected was due to the clinic’s focus on securing its network and assessing the scope of the attack. While this is important, it should have been prioritised alongside communication efforts, which would have lessened the reputational damage that ensued.
Reputational damage
Data on the consequences of disruptions over the past twelve months placed reputational damage in the top five with just over a third of organizations sharing that they’d suffered this effect following an incident.
Reputation is intangible, and damage is therefore hard to quantify, but tell-tale signs include drops in shares, staff retention issues, and investigations. For example, the UK’s Partygate scandal, where government staff held gatherings during the COVID-19 lockdown led to a public inquiry, called the government’s capabilities into question.
Certain sectors are more vulnerable than others due to the sensitive data and nature of the work involved (health, finance, government, etc.), but the risk is real for all, which is why being prepared is essential, especially when considering findings from the BCI Emergency Crisis Communications Report 2025 [5], which reveals a sharp rise in activation of crisis communication plans due to data breaches (43%) compared to 35.6% over the previous year—an increase of 7.4 percentage points.
Prepare and protect
A business continuity practitioner located in the Middle East [5]. highlighted the importance of resilience: “Resilience is not a one-time effort; it’s an ongoing process. Organizations that prioritise training, technology, and structured response frameworks will always be better prepared for the unexpected.”
Unfortunately, there is no way to predict disruptions like cyberattacks, but preparing in advance can make all the difference, especially where reputation is concerned.
Findings from the BCI Emergency Crisis Communications Report 2025 [5], reveal that many organizations are still reliant on outdated or insufficient crisis communication methods despite advancements in tools and systems.
Research reveals a significant difference in the response capabilities of organizations using technology. 28.1% of surveyed organizations can activate their emergency communications plans within 5 minutes leveraging technology, as opposed to 11.5% without.
However human-driven issues such as inaccurate contact information, lack of engagement and poor internal coordination lead to response gaps and constitute barriers to effective crisis management.
These leading causes of failure in emergency communications highlight the importance of ongoing training and preparation alongside technological upgrades to maintain credibility with customers and stakeholders.
The BCI Emergency Crisis Communications Report 2025 [5] serves as a strategic tool for futureproofing your organization against reputational damage. Use it to prepare your crisis communications plans before crisis strikes.
It has also been reported in Your Life Choices with Thousands affected as major clinic confirms dark web leak, Seniors Discount Club with This clinic may have kept your records since 2013—and now they’re on the dark web and 9 News with Sensitive patient data leaked on dark web, major IVF clinic confirms.