Genea IVF Data Breach: Termite Ransomware Gang Steals Patient Data
Genea, one of Australia’s largest fertility services providers, has suffered a major data breach. The Termite ransomware gang has claimed responsibility for the attack. The stolen data includes a vast amount of sensitive patient information.
IVF Data Breach Details
Genea, operating since 1986 (originally Sydney IVF), offers various fertility services across 22 clinics. They, along with Monash IVF and Virtus, control over 80% of Australia’s IVF market revenue.
Genea initially reported a “cyber incident” last Wednesday after detecting suspicious activity. A subsequent statement confirmed data theft and online publication of the stolen information. The company obtained a court injunction to prevent further data dissemination.
A redacted court order reveals the attackers compromised Genea’s network on January 31, 2025, via a Citrix server. They accessed the primary file server, domain controller, backup program, and the BabySentry patient management system.
By February 14, 2025, they had exfiltrated 940.7 GB of data to a DigitalOcean server.
Genea obtained a court injunction. This was to stop further data sharing. They are working with the Australian Cyber Security Centre.
Details of Stolen Data
The stolen data included extensive patient information. This varied for each patient. It included:
- Full names, emails, addresses, phone numbers, and dates of birth.
- Emergency contacts and next of kin details.
- Medicare card numbers, private health insurance details, and Defence DA numbers.
- Medical history, diagnoses, treatments, medications, and prescriptions.
- Patient health questionnaires, pathology and diagnostic test results, and doctor’s notes.
- Appointment details and schedules.
Genea stated, “At this stage there is no evidence that any financial information such as credit card details or bank account numbers have been impacted by this incident.”
They also notified the Office of the Australian Information Commissioner.
Termite Ransomware Gang claims Theft of 940GB of Patient Data
While Genea didn’t initially name the attackers, the Termite ransomware gang claimed responsibility on Monday. They stated on their dark web leak site that they stole approximately 700 GB of data. They released screenshots of identification documents and patient files.
The gang said, “We have ~700gb of data from company’s servers such as confidential, personal data of clients.”
Termite, active since mid-October, has listed 18 victims on its dark web portal. In December, they also claimed responsibility for a breach at Blue Yonder, an Arizona-based SaaS provider with over 3,000 clients, including major corporations like Microsoft and Tesco.
Termite uses a modified version of the Babuk encryptor (leaked September 2021), and drops a “How To Restore Your Files.txt” ransom note.
Trend Micro noted a code execution flaw causing premature termination of their encryptor, suggesting it’s a work in progress. This incident underscores the significant risk to sensitive healthcare data and the need for robust cybersecurity measures.
