IVF Data Breach Victims Pursue Compensation in National Regulatory Complaint

Share and Follow

Patients from Genea, one of Australia’s largest IVF clinics, are seeking compensation after their sensitive medical information was published on the dark web earlier this year.

The representative complaint, a type of complaint lodged by an individual on behalf of two or more people, was sent to the Office of the Australian Information Commissioner on 20 October. Melbourne law firm Phi Finney McDonald is acting on behalf of affected patients.

A recent complaint has surfaced alleging that a prominent company neglected to implement adequate measures to safeguard sensitive information from being misused, interfered with, lost, or accessed without authorization. This highlights a growing concern about data protection in the digital age.

It also alleges Genea failed to destroy or remove information once it was no longer needed, and that it breached its obligations under the Privacy Act 1988 by not informing affected individuals sooner.

Genea, a major player in the fertility industry and one of Australia’s largest IVF clinics, is at the center of this issue. The clinic operates 19 centers across Australia and has a presence in Thailand. Genea provides a range of specialized services, including in vitro fertilization (IVF), genetic testing, as well as egg and sperm preservation, and comprehensive fertility assessments.

According to the Australian Signals Directorate, cyber incidents have seen an 11 percent increase from the previous year, with large organizations being the primary targets of such attacks. This upward trend underscores the critical need for robust cybersecurity measures to protect sensitive data.

This complaint could potentially lead to compensation for patients affected by the data breach, opening the door for discussions on accountability and the protection of personal information in healthcare settings.

The exposed data included the medical histories, diagnoses, treatments, prescription medications, pathology, and diagnostic test results of patients.

Principal lawyer for Phi Finney McDonald, Olivia McMillan, said hundreds of people had contacted them “distressed that their personal information had been accessed by unauthorised parties”.

“Patients at Genea expected their highly sensitive medical, personal, and financial information on the company’s systems to remain private and confidential,” she said in a statement.

A spokesperson for Genea told SBS News it has partnered with IDCARE, Australia’s national identity and cyber support service, to provide counselling and other assistance at no cost for people who had been impacted, as well as opened a dedicated call centre and email.

“We thank our community for their understanding during our investigation into this cyber incident,” the spokesperson said.

“We deeply regret that personal information was accessed and published and sincerely apologise for any concern this incident may have caused.”

‘Like you’re being punished’

Former Genea patients told SBS News they were concerned about the implications of the data breach.

Isaac, who donated sperm through the company, expressed concerns he had shared extensive personal health and biological information using the clinic’s services, and a breach of that data could impact not only them, but also children conceived through his sperm.

“This is some of the most sensitive information about me,” he said.

“It’s supposed to be a good deed. It’s almost like you’re being punished because your information was held on a computer system.”

Isabel Lewis, who conceived her twin boys through IVF eight years ago, says she was informed by email in February that her personal data had been breached and posted on the dark web.

Lewis told SBS News in September the data breach had shaken her confidence in the industry, and she was considering legal action.

A middle-aged white woman in casual clothes is taking a selfie with her two young blonde sons, dressed in hoodies.

Isabel Lewis had her twin boys through IVF eight years ago. Source: Supplied

“I’m not doing it for the money, although money is fine and all, but if there are damages that are significantly painful, hopefully — and maybe I’m deluded — the business will change their practices so that they don’t have damages like that again.”

The Australian Signals Directorate (ASD) revealed earlier in the month there had been an 11 per cent rise in cyber incidents compared to last year, with almost half of the incidents targeting organisations.