Executive Summary
- IVF provider Genea suffered a data breach in February, resulting in sensitive patient and donor medical information being published on the dark web.
- Affected patients criticize the company’s response as inadequate and are pursuing legal action, while regulators have yet to launch a formal investigation.
- A cybersecurity expert has filed a separate report raising concerns about potential ongoing vulnerabilities in one of the company’s applications.
- Former patients report the company has refused requests to delete personal data even after statutory retention periods have apparently expired.
Patients of Australian IVF provider Genea are demanding accountability after a significant data breach in February led to highly sensitive medical information being published on the dark web. The incident has prompted calls for a formal investigation into the company’s cybersecurity practices, which have been further questioned by an independent security researcher who identified potential ongoing vulnerabilities.
Details of the Breach
In July, Genea, Australia’s third-largest IVF provider, confirmed that personal data stolen months earlier was available on the dark web. The compromised information included patient and donor names, dates of birth, medical histories, ancestry, and details from psychological evaluations. Affected individuals, like an egg donor identified as Nicole, described the company’s communication as a “depersonalised” apology that failed to address the gravity of the exposure.
Genea obtained a Supreme Court injunction to prevent the sharing of the stolen data, a move cybersecurity experts note is largely ineffective against criminals. The injunction also prevents affected patients from viewing the leaked material to ascertain the full extent of the breach. A class-action law firm has lodged a complaint with regulators after being contacted by hundreds of affected patients.
Ongoing Security and Data Retention Concerns
Amid the fallout, ethical hacker Jamieson O’Reilly submitted a report to the Australian Cyber Security Centre recommending a review of a Genea application due to potential security weaknesses. In a statement, Genea said it had “taken steps to further strengthen our security” but did not comment on the specific report. The company has also faced criticism from former patients, such as Rebecca Craven, who was denied a request to have her personal data deleted even after the seven-year legal retention period in her state had expired.
Calls for Regulatory Action
Despite ongoing liaison with government bodies, the Office of the Australian Information Commissioner (OAIC) has not yet launched a formal investigation into Genea. Cybercrime experts like Professor Richard Buckland of UNSW are urging the OAIC to take action, comparing the sensitivity of the stolen data to major breaches at companies like Medibank. He emphasized the profound potential impact on the mental well-being of individuals in vulnerable situations. Australia’s National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, acknowledged that reported incidents are likely just the “tip of the iceberg,” suggesting many breaches may go undisclosed by companies.