Major Australian in vitro fertilisation (IVF) provider Genea is working to reassure distressed patients after confirming that an “unauthorised third party” has accessed its data in a breach whose scope is still becoming clear.

A nationwide provider of IVF services that is among Australia’s largest, the firm said in an update that it had detected “suspicious activity” on its network and had shut down some systems and servers while it investigated to find out what data and systems were breached.

Phone lines were down, Genea’s app was offline and emails were going unanswered, the ABC reported in quoting frustrated patients who rely on the clinic’s data processing systems to manage critical blood test data that sets the timing of their $12,000 IVF treatment cycles.

Patients fear the disruptions from what Genea termed a “cyber incident” could not only put sensitive personal and medical information into cybercriminals’ hands but compromise the efficacy of their treatment cycles.

“We want to reassure patients that we take your privacy and the security of your data very seriously,” Genea said in committing to contacting affected individuals directly if their investigation “identifies any evidence that their personal information has been impacted.”

For patients that have not been directly notified by their local clinic, Genea advises that “there is no change to your current treatment schedule…. [ensuring] that there is minimal disruption to your treatment is of our utmost priority and importance.”

A critical industry, critically exposed

Genea, along with rival firms Monash IVF and Virtus, is said to account for over 80 per cent of the projected $810 million in revenues the IVF industry will generate this year as it contributes to the birth of nearly one in 20 Australian babies.

The company isn’t the first IVF provider to be targeted by cyber criminals, with Monash IVF suffering a “malicious cyber attack” in 2019 that saw its patients targeted by scammers – who used stolen data to try to trick its clients into opening malicious email attachments.

Clients of Genea should be on the lookout for similar scams, with the Australian Cyber Security Centre (ACSC) advising caution after any data breach and telling victims to be ready to act if their data turns out to have been compromised.

The sensitivity of IVF-related data was evident last year after Monash IVF settled a $56 million class action after it destroyed the embryos of more than 700 patients based on incorrect data.

A critical industry, critically exposed

The personal nature of healthcare data has made it the most frequently attacked industry sector, with financial and risk advisory firm Kroll recently reporting that healthcare breaches comprised 23 per cent of all breaches last year, up from 18 per cent the year before.

This included the breach of Change Healthcare, which was last year hit by ransomware that crippled the US healthcare system for weeks – with recent revelations that the incident, caused by a lack of multi-factor authentication (MFA), affected 190 million people.

“We are moving into a new era in which our expectations of entities are higher,” Australian Privacy Commissioner Karly Kind wrote as Office of the Australian Information Commissioner (OAIC) statistics confirmed that healthcare firms account for 1 in 5 Australian data breaches.

Health service providers reported 102 breaches during the first half of 2024, the OAIC said – nearly twice as many as were reported by Australian government bodies, and as many as were reported by financial services bodies and education providers combined.

Recent enforcement action against firms like Australian Clinical Labs, which was sued in 2023 after the OAIC alleged it had failed “to take reasonable steps to protect [clients’] personal information from unauthorised access or disclosure”, reflected growing impatience with poor security.

With 189 data breaches involving healthcare data during the first half of 2024, Kind said that such action “should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities.”