This clinic may have kept your records since 2013—and now they’re on the dark web
- Replies 0
A former patient said she felt ‘shocked’ to learn her medical records were dumped on the dark web—but she was even more disturbed by the email’s timing.
It landed at 11:00 pm on a Friday, five months after the breach happened, and said no one would be available to answer questions until Monday morning.
Some patients are only now finding out that sensitive medical and ID documents have been exposed since February.
Genea, one of Australia's largest IVF providers, faced backlash after confirming a February cyberattack led to patient data being published on the dark web.
The clinic sent out email notifications late last week revealing the breach, with former patients now accusing the company of mishandling the situation and leaving them in the dark for months.
One such email, sent from Genea’s chief executive Tim Yeoh, stated: ‘Personal information about you was taken and published on the dark web.’
Patients listed under the ‘Annexure A’ category were the most severely impacted, with the leaked information including not just identity documents but also medical diagnoses and clinical details.
‘We deeply regret that your personal information has been accessed and published and sincerely apologise for any concern this incident may have caused you,’ Mr Yeoh wrote.
Genea has refused to disclose how many patients were affected, citing the ongoing investigation by the Australian Federal Police.
Genea has concluded its investigation into the cyber incident which impacted our organisation in February,’ the company said in a statement.
‘This included a comprehensive analysis of the data published on the dark web to identify impacted individuals and the personal information relating to them.’
‘We are now starting to communicate with individuals about the findings from our investigation that are relevant to them, and the steps and support measures in place to help them protect their personal information. Genea expects to communicate with all impacted individuals over the coming weeks.’
One woman, who wished to remain anonymous, said she was appalled to receive Genea’s notification email at 11:00 pm on a Friday with no one available to speak to until Monday.
‘The communication from Genea on this data breach has been appalling,’ she said.
‘We only found out about this data breach from an email notification at 11:00 pm on last Friday, outside of business hours and telling impacted patients there was nobody available to respond to questions and concerns until 9:00 am on Monday.’
‘The fact the breach occurred in February, and we are only now being notified, five months on, for the very first time that sensitive information such as our driver’s licence, Medicare number, private health insurance number, all of which can be used for identity fraud, was stolen and is on the dark web is utterly unacceptable,’ she said.
She added that Genea also revealed her detailed medical information had been published—despite her last interaction with the clinic being in 2013.
‘It beggars’ belief that Genea even kept such sensitive information when we ceased any interaction with the company in 2013—12 years ago. Genea cannot claim that information was still needed for the purpose it was collected, and, as such, was legally required to have destroyed or de-identify it long before this breach even occurred,’ she said.
Another former patient, Matthew Maher, said he was informed in February via media coverage that Genea had been targeted.
He received an official email from the clinic, months later, stating that his name, phone number, address, Medicare and private health insurance numbers had all been leaked.
‘The last couple of weeks I’ve been getting a lot of weird phone calls,’ he said.
‘I can’t fault Genea, we’ve got a daughter out of it, but this has just put a bad taste to it.’
Mr Maher, who last used Genea six years ago, said he had tried following up but got no response.
‘I have told them if there is a class action or a claim of compensation, I’ll be the first to sign up,’ he said.
Claire Tomlin, who said she spent hundreds of thousands of dollars at Genea, still had no idea whether her data had been compromised.
She received two emails when the breach occurred, but nothing since.
‘I’ve had no update. They’ve got to release something,’ she said.
‘You are really vulnerable when [you first go to Genea]. All the stuff you have to hand over.’
Genea operates clinics around Australia and is among the country’s three largest IVF providers.
One in every 18 births in Australia is the result of IVF treatment.
If you're wondering just how common these kinds of breaches are, this isn’t an isolated case.
Sensitive data from trusted companies and services continues to fall into the wrong hands—and often on a massive scale.
Here’s another real-world example that shows just how widespread the problem has become.
Read more: Massive data breach exposes 16 billion accounts across Apple, Google and more
How would you feel if your deeply personal medical history from over a decade ago was suddenly leaked online?
It landed at 11:00 pm on a Friday, five months after the breach happened, and said no one would be available to answer questions until Monday morning.
Some patients are only now finding out that sensitive medical and ID documents have been exposed since February.
Genea, one of Australia's largest IVF providers, faced backlash after confirming a February cyberattack led to patient data being published on the dark web.
The clinic sent out email notifications late last week revealing the breach, with former patients now accusing the company of mishandling the situation and leaving them in the dark for months.
One such email, sent from Genea’s chief executive Tim Yeoh, stated: ‘Personal information about you was taken and published on the dark web.’
IVF giant under fire for data breach. Image source: Pexels/Tima Miroshnichenko
Disclaimer: This is a stock image used for illustrative purposes only and does not depict the actual person, item, or event described.
Disclaimer: This is a stock image used for illustrative purposes only and does not depict the actual person, item, or event described.
Patients listed under the ‘Annexure A’ category were the most severely impacted, with the leaked information including not just identity documents but also medical diagnoses and clinical details.
‘We deeply regret that your personal information has been accessed and published and sincerely apologise for any concern this incident may have caused you,’ Mr Yeoh wrote.
Genea has refused to disclose how many patients were affected, citing the ongoing investigation by the Australian Federal Police.
Genea has concluded its investigation into the cyber incident which impacted our organisation in February,’ the company said in a statement.
‘This included a comprehensive analysis of the data published on the dark web to identify impacted individuals and the personal information relating to them.’
‘We are now starting to communicate with individuals about the findings from our investigation that are relevant to them, and the steps and support measures in place to help them protect their personal information. Genea expects to communicate with all impacted individuals over the coming weeks.’
One woman, who wished to remain anonymous, said she was appalled to receive Genea’s notification email at 11:00 pm on a Friday with no one available to speak to until Monday.
‘The communication from Genea on this data breach has been appalling,’ she said.
‘We only found out about this data breach from an email notification at 11:00 pm on last Friday, outside of business hours and telling impacted patients there was nobody available to respond to questions and concerns until 9:00 am on Monday.’
‘The fact the breach occurred in February, and we are only now being notified, five months on, for the very first time that sensitive information such as our driver’s licence, Medicare number, private health insurance number, all of which can be used for identity fraud, was stolen and is on the dark web is utterly unacceptable,’ she said.
She added that Genea also revealed her detailed medical information had been published—despite her last interaction with the clinic being in 2013.
‘It beggars’ belief that Genea even kept such sensitive information when we ceased any interaction with the company in 2013—12 years ago. Genea cannot claim that information was still needed for the purpose it was collected, and, as such, was legally required to have destroyed or de-identify it long before this breach even occurred,’ she said.
Another former patient, Matthew Maher, said he was informed in February via media coverage that Genea had been targeted.
He received an official email from the clinic, months later, stating that his name, phone number, address, Medicare and private health insurance numbers had all been leaked.
‘The last couple of weeks I’ve been getting a lot of weird phone calls,’ he said.
‘I can’t fault Genea, we’ve got a daughter out of it, but this has just put a bad taste to it.’
Mr Maher, who last used Genea six years ago, said he had tried following up but got no response.
‘I have told them if there is a class action or a claim of compensation, I’ll be the first to sign up,’ he said.
Claire Tomlin, who said she spent hundreds of thousands of dollars at Genea, still had no idea whether her data had been compromised.
She received two emails when the breach occurred, but nothing since.
‘I’ve had no update. They’ve got to release something,’ she said.
‘You are really vulnerable when [you first go to Genea]. All the stuff you have to hand over.’
Genea operates clinics around Australia and is among the country’s three largest IVF providers.
One in every 18 births in Australia is the result of IVF treatment.
If you're wondering just how common these kinds of breaches are, this isn’t an isolated case.
Sensitive data from trusted companies and services continues to fall into the wrong hands—and often on a massive scale.
Here’s another real-world example that shows just how widespread the problem has become.
Read more: Massive data breach exposes 16 billion accounts across Apple, Google and more
How would you feel if your deeply personal medical history from over a decade ago was suddenly leaked online?
