TRANSCRIPT:
"You've created something beautiful, which was supposed to be a good deed. It's almost like you're being punished because your information was held on a computer system."
That’s a sperm donor whom we will call Isaac.
SBS News has used an actor to record his comments, to obscure his identity and protect his sensitive personal information, which was part of a data breach earlier this year.
It all began when he agreed to be a sperm donor for some friends of his who couldn’t conceive themselves.
"Being a sperm donor is the epitome of awkward. You kind of feel like you're a bit of produce to some extent, which has been selected by your genetic characteristics. Personally, it's like why did they choose me? And that's an interesting thing, which makes you go to the depths of your own self-confidence. But the whole process is naturally incredibly awkward because effectively you've been chosen to jizz in a cup."
But Isaac wanted to help the couple and agreed to go ahead with being their sperm donor.
I-V-F ((in vitro fertilisation)) treatment is becoming increasingly more common in Australia, with one in every 18 births now a product of the process.
The couple decided to go to Genea Fertility, one of Australia’s largest I-V-F clinics, where staff asked Isaac several probing questions about his medical history, and he underwent a series of psychological sessions.
"You go through the longest form I've ever been through in my life. Any diagnosis you've had, any medication you've had. The staff there were really, really lovely, and particularly given the awkwardness of a sperm donation, they're adept at handling that awkward situation."
Isaac also spoke to staff about intimate personal circumstances, about himself and his family.
"People have mental health issues, and medication could be quite a lifesaver. I have a history of taking medication since I was 17 years old. It's still highly stigmatised. I also have a family history of autoimmune disease."
With his donation, the couple conceived their first child, but the joy Isaac feels for helping his dear friends start a family has been mixed with frustration and anger.
In February, Genea informed Isaac via email that his data was among a batch that had been breached by cybercriminals and posted to the Dark Web.
The exposed data includes people's medical history, diagnoses and treatments, medications and prescriptions, and pathology and diagnostic test results.
"You've created something beautiful, which was supposed to be a good deed. It's almost like you're being punished because your information was held on a computer system. I don't know what the next step is, but having some information about what the fuck's happening is probably a bloody good step."
Not only could Isaac be at risk of fraud or blackmail, but so could any children conceived through the clinic, including his friend’s newborn.
Four months later, he feels left in the dark about what Genea is doing to protect customers from hackers and scammers.
Genea declined to be interviewed by SBS News, instead pointing to statements it has made on its website.
"Our teams and cybersecurity experts are working hard to urgently review the impacted data. This is a detailed and complex process which will take some time to complete to ensure we can clearly understand the nature and extent of the data that has been published and identify impacted individuals.
So what happens now?
Professor Dali Kaafar is the executive director of Macquarie University's cybersecurity hub.
He says investigating cybercrime can be a lengthy process and in the meantime, Isaac's personal data could be used against him.
"If they actually sense some form of vulnerability with their victim, for instance, the victim is trying to hide some sort of information from the employer or from their families, they'll probably try to leverage that in a form of blackmail."
Professor Kaafar predicts data breaches will only become more frequent, especially against companies like Genea.
"Health providers handle obviously vast amounts of highly sensitive personal information, not only the medical histories or the diagnosis, et cetera, but things like contact details of patients and so on. So it makes them immediately attractive targets for cybercriminals. And so I think the very first explanation or the very first view of why the health sector is consistently reported as the highest number of data breaches in Australia and globally as well, by the way, is largely due to that first piece, which is the volume and the sensitivity of the data is there. They're definitely by nature a very attractive target for cyber criminals."
It’s a scary thought for Isaac when he thinks about both his future and that of the donor-conceived child.
"What happens if I get a job which is relatively high profile or dealing with sensitive activity, could this open me up to not getting employed because an employer might've found my internet history, and maybe they have had ethical concerns or concerns with my health record? There are lots of bits and pieces which we all choose to disclose or not disclose as we go about our day. And if that information is out there, it's taken away my agency and my choice to disclose that information if I want to. That's only compounded further by the lack of information that I've been provided about this investigation and the data breach."
He wants to see consequences for the data breach and for Genea to be held accountable.
"Some things are more sensitive than others, and if you're at the more extreme end of sensitivity, you want the ramifications to be higher and you also want to make sure there's incentive to not have this happen again."
Unlike financial fraud, where victims can demonstrate losses as a dollar figure, the value of a person's privacy is subjective.
Faith Gordon, an associate professor in law at the Australian National University, says people affected by breaches can make legal claims for the breach itself as well as its impact, and there could be compensation for losses such as embarrassment, humiliation and anxiety.
"There's a lot of legal and ethical accountability for these clinics. They do have ethical and also legal duties. For example, under Australian law, Australia's Privacy Act, there is health data protection requirements and there's medical ethical guidelines as well about informed consent and data protection. So breaches can give rise to claims for this breach and for the impact of it."
Associate Professor Gordon says there's more that can be done to protect people, especially children conceived through these clinics
"A data breach could expose very, very personal information, including names and dates of birth and donor status and notes about embryos. So that can result in significant stigma and psychological harm and potentially future discrimination as well. Child ren have very specific rights and very specific vulnerabilities, and these need to be protected, and they also need to be empowered to actually access justice when something does go wrong in this space as well."
Children conceived through the clinic could grow up in the shadow of their personal information being online, which Associate Professor Gordon says is a reason Australia needs a specific legal code for children’s privacy.
