Current and past clients of IVF provider Genea Fertility Australia are being urged to contact identity theft protection services after the company confirmed that all its patient-related data was available to attackers in a cyber incident whose full scope is still becoming clear.

The firm, which detected “suspicious activity” on its network on 14 February and publicly confirmed its compromise five days later, said in a 24 February update that “extensive remediation efforts” had confirmed its patient management system was breached.

Although Genea maintains that “at this point it is unknown” exactly which personal information in the system was compromised, it said the system contained a broad range of sensitive information that would have been appealing to cybercriminals.

Data stored in that system includes patient particulars, Medicare card numbers, private health insurance details, medical histories, diagnoses and treatments, medications and prescriptions, test results, emergency contacts, next of kin, and other data.

“At this stage there is no evidence that any financial information such as credit card details or bank account numbers have been impacted by this incident,” Genea said, promising further updates as additional information comes to light.

There has been no confirmation as to whether the attack involved ransomware, although Genea said it had initially shut down systems and servers – with many clients reporting that they were unable to contact the company to verify the status of their treatment plans.

Attackers are disrupting communities

Such problems are par for the course these days, said Trevor Dearing, director of critical infrastructure at cybersecurity firm Illumio, who noted that “cyberattacks on healthcare providers instantly disrupt communities, often with critical consequences.”

That company’s recent Global Cost of Ransomware Study found that 58 per cent of companies hit by ransomware had to shut down their operations for at least 12 hours after an attack – with an average 17 people spending 134 hours each to recover.

“All healthcare organisations must get to the point where they have the confidence that an attack won’t disrupt critical systems and patient care,” Dearing said, encouraging use of zero trust security “to restrict and control communication and movement through their network.”

The presence or absence of 2-factor authentication (2FA) has not been confirmed in Genea’s case, but it is a factor in many breaches as cybercriminals use credential stuffing to breach target systems using username and password combinations widely available online.

Given the nature and breadth of sensitive data stored in healthcare systems, 2FA is seen as table stakes for operating in today’s environment – yet statistics show that healthcare organisations remain the most frequently compromised type of business in Australia.

Investigations into the major breach of private health insurer Medibank, for one, revealed that the company had been warned to adopt 2FA to restrict access to key systems but had not bothered to do so – an oversight that security experts called “shocking”.

Patients urged to be proactive

The breach is a wakeup call for privately held Genea, whose more than 400 employees have transitioned through ownership changes in 2019 and then again in 2022 as investment firm Liverpool Partners consolidated it with IVF provider Adora Fertility Pty Ltd.

Ensuring data security through merger and acquisition (M&A) processes is complex, with disparate data systems difficult to secure consistently and staff often poached – as happened to Genea, which last year lost four key fertility specialists to rivals amidst the tumult.

With so many moving parts inside changing businesses, security oversights often let cybercriminals move in for the kill – leaving patients trying to understand the impact on their personal information and, in this case, the status of their complex IVF treatments.

It’s more common than many people appreciate, said Kathy Sundstrom, national manager for outreach and engagement with IDCARE, a business-supported service for breach victims to which Genea, like many other breached businesses, has referred concerned clients.

“When the public think of data breaches they think of the big ones – Latitude, Optus, Medibank,” Sundstrom told Information Age, “yet at any given time IDCARE is dealing with the response service for 10 to 20 [smaller] breaches.”

IDCare is seeing an “ever increasing number of people who come because they know something has happened,” she said, adding that “criminals collect the data and put it together to create profiles of people” that are then used for identity theft and fraud.