A leading Australian fertility clinic has apologised to customers and says it is investigating a breach of its computer network that forced it to take some of its servers and systems offline.
Major IVF provider Genea, which is used by tens of thousands of patients at clinics around Australia, emailed customers on Wednesday to say it was “urgently investigating a cyber incident after identifying suspicious activity on our network”.
“As soon as we detected the incident, we took immediate steps to contain the incident and secure our systems,” the email to customers, seen by InnovationAus.com says.
The nature of the incident and types of data compromised are unclear, but the company holds the sensitive information of patients.
“Our ongoing investigation has identified that an unauthorised third party has accessed Genea data,” the email from Genea CEO Tim Yeoh said. “We are urgently investigating the nature and extent of data that has been accessed and the extent to which it contains personal information.”
A company spokesperson said Genea has engaged cybersecurity experts to assist with its response and it is liaising with the Australian Cyber Security Centre.
“Our investigation is ongoing and we will communicate with any affected individuals if our investigation identifies any evidence that their personal information has been impacted, consistent with our legal and regulatory obligations,” the spokesperson said.
Genea is a leading provider of fertility treatments and testing including IVF and egg and sperm freezing. It operates a dozen clinics in New South Wales and also has a presence in Victoria, Queensland, Western Australia, South Australia and the ACT.
As part of some of its services it asks patients to provide sensitive information about their medical history.
“The protection of our staff and patients’ information is our utmost priority,” the spokesperson said. “We apologise for any concern or inconvenience that this incident has caused and will provide patients with relevant updates as we learn more.”
Customers are being urged to stay vigilant to phishing scams or other suspicious communications in the wake of the breach, and are asked to verify the company’s communications by checking for correct email addresses and domains.
The scale of Australia’s latest data breach remains unclear, but major incidents involving Medibank and Optus have triggered reforms to how companies must respond to incidents.
Landmark cybersecurity legislation passed the Parliament last year, introducing a mandatory ransomware reporting regime and protections for businesses that cooperate with authorities in the aftermath of a cyber-attack.
Do you know more? Contact James Riley via Email.