Another data breach has hit a big Australian company, and while no one has claimed responsibility, the damage could be pretty severe. What should people do if they’re concerned?
Security is a big issue, and while regular people are expected to keep their files and passwords secure, the same applies for big companies. There are different requirements to be sure, but security should be something every company considers, particularly when they’re in the business of storing personal details.
In the past few years, the regularity with which we’re beginning to see data breaches should be a wake up call for businesses ensuring a duty of care to customers with great security and a minimal chance of data loss.
However, it can happen to anyone, and this week, it appears to have happened to someone else.
It happened with Optus and then with Medibank, and more recently with Ticketmaster seeing its own breach in the last year. Now one of Australia’s biggest IVF providers, Genea, has seen a breach, and it appears to be a big one.
Based on the email Pickr has seen (which is now also published on the company’s website), the expected data included as part of the breach is severe, with the patient management system compromised.
According to Genea, those details include obvious information such as name, email, addresses, birthdates, and phone numbers, but goes deeper with health insurance details, diagnoses and treatment, medication and prescriptions, notes from doctors and specialists, Medicare card numbers, and even the details of emergency contacts and next of kin.
It’s a lot of data to be taken, and while Genea hasn’t confirmed what personal information for patients has been taken, the company has noted that no financial information was included in the breach.
Former and current patients will no doubt hope the data was encrypted, limiting the potential fallout considerably as secure data is a part of government requirements in the state Genea operates. But with the wording from Genea citing “patient folders”, expectations of this data being encrypted and unusable are low.
Pickr has reached out to Genea to find out whether the data was encrypted or not, however if it isn’t, what are the risks?
What are the risks from this breach?
If the folders were easy to access, it means the data theft is quite serious, and the risks start to become clear.
While there’s not quite enough data in the breach for a 100 point ID check, such as the kind needed for a home loan, combined with data from other breaches, there may be something to work with for criminals.
For instance, if you were affected by the Optus breach and you didn’t change your license following the fallout, the combination of driver’s license leaked from that hack and Medicare card details from this one could provide a way for criminals to apply for a loan or even port your phone number. The latter of these is particularly problematic, considering phones are tied to passkeys as well as multi-factor authentication, opening up the possibility for further and more severe hacks.
Patient data simply being out in the open is another risk. Diagnosis data, prescriptions, and specialist information could make for extortion attempts, particularly if the data will be sold.
Found in its way to criminal hands, there’s the risk of third parties having access to medical records they shouldn’t have in the first place, really opening up those risks further.
What sort of scams could we see?
Scams are the obvious target for this sort of data, particularly because every patient file could be easily linked to emails and full names, giving scammers a lot of information to work with.
As such, former and current patients affected by this data breach will want to watch their emails carefully over the coming months, checking for scams pretending to be IVF clinics, medical facilities, or even just your typical myGov scam given how complex they’re getting.
You can largely expect scammers to go deeper than this, but the good news is the same tips that work on current scams will work on these, too.
That means paying attention to web addresses in your web browser’s URL and omnibar, while also making sure you’re at the real site. Paying close attention to the little details can help make all the difference, and they’re not the only ones.
Look at emails and text messages carefully, and don’t click on links in messages until you’ve read the content and decided it is legit.
And if you do accidentally click — because some scams can be super convincing — check that URL properly before you feed it information, or just close down the web browser and do a Google search for the real website. Scammers won’t be able to replace the real site in search.
