Data stolen from IVF provider Genea Fertility was published on the dark web despite a court injunction against using or publishing the data, the company has confirmed as it completes its investigation into the February incident.
The firm is contacting affected individuals with details of what data was taken, it said in a 3 July update following on from the breach, in which patient data was stolen en masse after criminals ran free inside its BabySentry patient management system.
Its investigations included a “comprehensive analysis of the data published on the dark web to identify impacted individuals and the personal information relating to them,” the company said, with the AFP and other agencies continuing their investigations.
The ABC reports seeing emails sent to patients that confirm the compromised data include patients’ full names, addresses, phone numbers, dates of birth, Medicare card numbers, medical diagnosis, and clinical data about their use of Genea services.
Genea seemingly attempted to reassure recipients of the email by telling them the information was found on the dark web, which it described as “a hidden part of the Internet… not readily searchable or accessible on the Internet.”
“We deeply regret that personal information was accessed and published and sincerely apologise for any concern this incident may have caused,” the update says.
Is there any point to the injunction?
A record in the Supreme Court Sydney confirmed that a 24 July hearing on the injunction request, which was lodged by Corrs Chambers Westgarth and saw an interim order granted in February and extended several times, was set to become permanent.
The order bans the unknown cybercriminals and any third party with the ‘Genea Dataset’ – from transmitting, publishing or disclosing material from the data set “at any location on the internet or facilitating such steps”, or promoting or publishing links to it.
Around 940.7GB of data was stolen from Genea’s network and servers, including some hosted by cloud provider DigitalOcean, after cyber criminals accessed the company’s Citrix remote access environment, domain controller, and backup server on 31 January.
The injunction also prevents “using”, including viewing, any information from the data set and orders the unknown defendant to “permanently delete or otherwise destroy any material obtained from the Genea Dataset already in their possession.”
Since the defendants remain unknown, notice of the injunction was ordered to be published at a redacted “support link” and emailed to several email addresses, also redacted but presumably related to the dark web users who have published the data.
Despite injunctions’ limited jurisdiction, they have become an increasingly common part of the response of companies affected by data breaches, with law firm HWL Ebsworth among the first firms reported to have done so after its 2023 breach.
Qantas, for its part, recently secured an injunction against publication of the data it lost on 6 million customers – amidst new revelations that “potential” cybercriminals had given the airline 72 hours to get in touch, and then followed up to apply more pressure.
Based on Genea’s latest communications to patients, the company’s own injunction also seems to have failed to prevented publication of the stolen data – so are such injunctions a waste of time?
“While cyber-criminals based overseas might not take much notice of such an injunction, orders can be framed to capture others who come into possession of the hacked information,” law firm Clayton Utz has noted.
“This, in turn, can at least help to prevent further dissemination of hacked data or information in places where it is more likely to be seen by ordinary people, and not just those lurking in the dark web with nefarious intent.”
Healthcare security under the microscope
As Genea’s patients work through the psychological and practical implications of their data having been breached, the company has become just the latest in a long line of healthcare and other organisations whose sensitive patient data is breached.
Healthcare organisations compromised 20 per cent of the 1,113 breaches reported to the Office of the Australian Information Commissioner (OAIC) during 2024 under the notifiable data breaches (NDB) scheme, the agency recently reported.
Health information was compromised in 201 of those breaches, with contact information breached in 489 incidents, identity information in 376, and financial details in 266 breaches – with at least 10 incidents affecting over 100,000 people in 2024 alone.
Pressure to provide transparency around such breaches is seeing pushback from many companies, with a new Bitdefender survey of 1,200 IT and security professionals finding 57.6 per cent said they had been pressured to keep data breaches confidential.
