Genea Patients Seek Compensation After Sensitive IVF Data Leaked on Dark Web

Patients of Genea, one of Australia’s largest IVF clinics, have lodged a complaint seeking compensation after their sensitive medical information was leaked onto the dark web earlier this year.

 

In February 2025, Genea experienced a major cyber attack that compromised sensitive patient data in which threat actors gained unauthorised access to Genea’s internal network, including patient management systems.

 

The attackers accessed a wide range of personal and healthcare information including names, contact details, Medicare and insurance numbers, medical histories, diagnoses, treatments, test results, and more. Genea confirmed that financial information like credit card or bank details were not accessed during the incident.

 

Genea took several systems offline as a precaution and notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre about the incident. 

 

The Termite ransomware group claimed responsibility for the cyber attack, stating they stole approximately 940.7 GB of data via a breach of a Citrix server on January 31. They published samples of the stolen data on the dark web. Genea later obtained a court injunction to prevent further sharing of the leaked data and apologised to affected patients.

 

A representative complaint has been lodged against Genea with the Office of the Australian Information Commissioner, alleging the company failed to take reasonable steps to safeguard personal information from misuse, interference, loss, and unauthorised access.

 

A representative complaint is a legal action where an individual files a complaint on behalf of a group of people who have been similarly affected. In Australia, under the Privacy Act 1988, such a complaint can be submitted to the Office of the Australian Information Commissioner (OAIC) when multiple individuals have experienced the same alleged privacy breach.

 

The complaint also alleges that Genea failed to destroy or remove patient information once it was no longer needed, and breached its obligations under the Privacy Act 1988 by not notifying affected individuals promptly. The complaint could set a legal precedent for future data breach claims involving sensitive medical information.