Patients from Genea, one of Australia's largest IVF clinics, are seeking compensation after their sensitive medical information was published on the dark web earlier this year.
The representative complaint, a type of complaint lodged by an individual on behalf of two or more people, was sent to the Office of the Australian Information Commissioner on 20 October. Melbourne law firm Phi Finney McDonald is acting on behalf of affected patients.
The complaint alleges the company failed to take reasonable steps to protect information from misuse, interference, loss, and unauthorised access.
It also alleges Genea failed to destroy or remove information once it was no longer needed, and that it breached its obligations under the Privacy Act 1988 by not informing affected individuals sooner.
Genea - one of Australia's largest IVF clinics — has 19 clinics across Australia, and one clinic in Thailand. It specialises in IVF, genetic testing, egg and sperm freezing, and fertility testing.
Cyber incidents are up 11 per cent from last year with large organisations being the main target, according to the Australian Signals Directorate. Source: AAP / Dominic Lipinski
Genea apologises for incident
In February, Genea informed patients of suspicious activity on their network. In July, it informed individual patients that their data had been accessed by a cyber criminal and published on the dark web.
The exposed data included the medical histories, diagnoses, treatments, prescription medications, pathology, and diagnostic test results of patients.
Principal lawyer for Phi Finney McDonald, Olivia McMillan, said hundreds of people had contacted them "distressed that their personal information had been accessed by unauthorised parties".
"Patients at Genea expected their highly sensitive medical, personal, and financial information on the company's systems to remain private and confidential," she said in a statement.
A spokesperson for Genea told SBS News it has partnered with IDCARE, Australia's national identity and cyber support service, to provide counselling and other assistance at no cost for people who had been impacted, as well as opened a dedicated call centre and email.
"We thank our community for their understanding during our investigation into this cyber incident," the spokesperson said.
"We deeply regret that personal information was accessed and published and sincerely apologise for any concern this incident may have caused."
'Like you're being punished'
Former Genea patients told SBS News they were concerned about the implications of the data breach.
Isaac, who donated sperm through the company, expressed concerns he had shared extensive personal health and biological information using the clinic's services, and a breach of that data could impact not only them, but also children conceived through his sperm.
"This is some of the most sensitive information about me," he said.
"It's supposed to be a good deed. It's almost like you're being punished because your information was held on a computer system."
Isabel Lewis, who conceived her twin boys through IVF eight years ago, says she was informed by email in February that her personal data had been breached and posted on the dark web.
Lewis told SBS News in September the data breach had shaken her confidence in the industry, and she was considering legal action.
Isabel Lewis had her twin boys through IVF eight years ago. Source: Supplied
The Australian Signals Directorate (ASD) revealed earlier in the month there had been an 11 per cent rise in cyber incidents compared to last year, with almost half of the incidents targeting organisations.
