Mid-February saw what could be one of the country’s biggest data breaches, eroding doctor-patient confidentiality and sending it elsewhere. And yet the government remains silent.
It’s been a staggering few years for the data of everyday Australians.
Medibank saw a breach and loss of data to the dark web, and not long after that, Optus saw the details of over 10 million customers breached and leaked, prompting everyday Aussies to change their driver’s licenses and stay permanently on the lookout for more scams ready to fleece them in other ways.
Recently, Ticketmaster felt the brunt of a hack and breach, but all of that pales in comparison to the most recent and brazen theft.
One of Australia’s biggest IVF and fertility providers, Genea, has seen its own files leaked, and the fallout could be catastrophic.
While most breaches cover details that can be a pain to replace — emails, phone numbers, license and Medicare details — the Genea breach deals with details that can’t be replaced.
Not just information about patient identities, but a veritable stolen treasure trove of confidential details unable to be changed, the likes of which could be making its way into foreign hands.
Imagine if the most intimate details about your life were put up for sale for anyone who wanted them. What would you do?
For thousands of Australians, that’s exactly where the Genea breach is going to leave them, and until the government steps in and does something about data security, they may have little recourse.
A breach of the most intimate details
It’s a breach that has made thousands of victims overnight.
A court injunction filed against “persons unknown” reports the Genea has seen 940GB of data transferred from its servers to the dark web, a staggering amount of data in the grand scheme of things.
Nearly 1TB of critical and confidential patient information stolen. It should be on the front page of every news outlet demanding government action.
While Genea hasn’t reported on the exact number of affected patients — something it could still be trying to determine — former and current patients appear to have been affected, with the backlog of data going back as far as six years.
That number of patients is likely to be massive especially over that space of time, as IVF use surges in demand.
Back in 2020, the University of New South Wales noted that one in every 20 babies was born in Australia using IVF. Only three years later, another report from the same university saw those numbers increase to one in every 18 babies, suggesting IVF use is growing.
There are roughly 290,000 births each year in Australia, suggesting that there are between 15 and 16,000 IVF births simply going on those numbers alone. Of course, this doesn’t account for all the failed IVF cycles, with numbers back in 2018 suggesting under 20 percent of IVF cycles result in births.
This may seem like a lot of numbers for what should be a story on data security, but there’s a reason we’re diving in deep: those numbers keep people in the IVF system.
There’s no specific metric that can be applied to all people; after being married to a senior scientist and embryologist with a masters in reproductive science and a PhD in the same area, I’ve heard every tip, every tactic, and every bit of research that can improve how families can fall pregnant.
But one thing is clear: falling pregnant still takes time, and regardless of your age or health, you could need as few as one to three cycles, and as many as 11 to 15 before you fall pregnant, or give up without results thousands upon thousands of dollars later.
IVF is costly to most in Australia, largely due to the lack of bulk billing practices. In the interest of transparency, this journalist’s wife works at one of those bulk billing IVF clinics, but it is not linked here, because it’s inconsequential to the story.
For most people, the lack of bulk billing facilities means IVF will be paid for out of their own pockets and with a bit of help from private medical insurance, and the numbers are big. Choosing to have a baby is not an inexpensive affair, and IVF makes that choice arguably more difficult.
The need to use IVF can happen to anyone. It’s not a women’s issue, and anyone might find themselves relying on science to help produce children. IVF is used by regular people, and celebrities in Australia and celebrities across the world.
However it happens and whatever the need, one thing remains consistent about IVF: it is deeply personal and private. While some may be willing to share their stories and struggles, not everyone will, which could be what makes the Genea breach so damned heartbreaking.
Former and current patients exposed
Genea’s note that just over 940GB of data being compromised is staggering not just because the company hasn’t noted how many patients that represents, but because the data loss may not have been encrypted.
The fertility giant’s initial wording of “folders” in its patient management system is a bit of a giveaway. While databases are often encrypted flat structures that require special commands to sort through, the use of the word “folders” suggests something else: literal folders that anyone can browse through.
In Genea’s own words, the breach of these folders specifically covers:
Full names, Emails, Addresses, Phone Numbers, Medicare Card Numbers, Private Health Insurance Details, Defence DA number, Medical Record Numbers, Patient Numbers, Date of Birth, Medical History, Diagnoses and Treatments, Medications and Prescriptions, Patient Health Questionnaire, Pathology and Diagnostic Test Results, Notes from Doctors and Specialists, Appointment Details and Schedules, Emergency Contacts and Next of Kin, although the information differs for different individuals.
To Genea’s credit, the company will offer IDCare support to help protect some of this data. Unfortunately, much of this data cannot be protected, making this gesture a little hollow in places.
For instance, while Medicare card numbers and private health insurance details may well be protectable, confidential patient information the likes of which would normally fall quite literally under “doctor-patient confidentiality” would not be included as part of IDCare’s services.
Details such as medical history, diagnoses, treatments, medications, prescriptions, notes from doctors and specialists, and schedules provide third party criminals a stolen treasure trove of data to sort through, and cannot be protected by ID protection mechanisms.
This is the very data that makes patient and medical databases so lucrative to cybercriminals, and not only puts current and former patients at risks of more detailed and aggressive scams, but opens up other avenues, such as blackmail and extortion.
Technology experts can highlight what will likely happen in a scam-filled world, and warn of the possible approaches scammers are likely to take, but the sheer number of details in this breach puts patients, celebrities or otherwise, at the risk of different types of crime.
Simply put, victims of the Genea data breach could well be the worst type of victims: ones who see immensely private unchangeable data available to the highest bidder, or at worst, some of the most vile, criminal individuals in the world.
So where is the government in all of this, and where is the protection for regular people?
Where is the Australian government on this?
Genea was notified of the breach in the middle of February, and it’s now the beginning of March. While the fertility provider works with the Office of the Australian Information Commissioner to investigate what happened, most of the government has been surprisingly silent over what could end up being one of the country’s most damaging data breaches.
Deeply personal data that patients cannot change and should have been secured has instead been transmitted over borders. This goes beyond merely names, emails, phone numbers, driver’s licenses, addresses, and Medicare details, but far worse information.
All details are frustrating when stolen, but some details can’t be replaced or changed, and shouldn’t be public. That’s the very point of doctor-patient confidentiality: your details are private. It is your choice if you wish to tell the world, and no one else’s.
And yet, a good two weeks on from the data breach, there’s been next to nothing from the government on this. What should constitute a wake-up call for all medical organisations around the country (and even the world), and see the people demand action from the government on privacy reform and regulations regarding a duty of care for patient file security has been surprisingly calm.
There’s been nothing from Communication Minister Michelle Rowland in the days since, despite clearly being able to comment on public data security matters such as X publishing misinformation on its platform and the office reporting on changes to protect consumers shortly following the Optus breach.
A little over two weeks following the Genea breach, only one government organisation appears to have chimed in: the passport office, which warned that passports may have been compromised, despite Genea not revealing that fact itself.
It’s a pretty damning sentiment from any government.
Instead of being quiet, elected officials should be talking up what they plan to do and the methods of data security they plan on enforcing.
No one is suggesting all data is unhackable: anything stored on a computer can conceivably be hacked. However, between what is likely a lack of encryption and a clear lack of guarantees for data security, the people are the ones suffering, and they will likely see more infractions like this.
From here, government need to take action. Governments need to stand up and say there’s a minimum amount of security all medical organisations need to take, and that this needs to be taken seriously.
And if there are civil penalties pending for the Optus breach (and there are), medical organisations housing this data need to know that the same could fall to them, as well.
One has to hope the government has the decency to stand up and say “this isn’t right” and actually do something. Victims from the Genea hack should have more than the right to be uncomfortable about their data being in the hands of total strangers, and potentially be compensated for what will likely be an attack on their rights for years to come.
Otherwise what really is the point: a slap on the wrist for a company that potentially undervalued security, and a criminal injunction against “persons unknown”? As one expert told News.com.au, the injunction was “hilarious” and “theatrical”. I’m sure criminals really care what the NSW courts have to say on the matter.
Australians expect real answers and real change, with a minimal requirement of security and guarantees for their data. Otherwise governments may as well give up and hand over the keys now. It’s not as if anything will change without action.
