In February, DataBreaches reported that an incident involving Australia IVF giant Genea was the work of the Termite gang, who had posted proof of claims and also claimed to have 700 GB of files. Apparently, Genea still hasn’t revealed that to those affected, who only now are receiving notifications that their data was involved and has been leaked on the darkweb.
ABC News in Australia reports:
Patients of Australia’s third-largest IVF provider, Genea, have been informed that their sensitive information — including medical history — has been posted on the dark web. The update comes more than five months after the ABC revealed cyber criminals had targeted the fertility clinic, which is used by tens of thousands of people across the country. In emails sent to affected patients over the past few days, Genea CEO Tim Yeoh confirmed the company had wrapped up its probe into the February cyber attack: “We are not notifying you about a new incident”. Emails obtained by the ABC state the data includes patients’ full names, addresses, phone numbers, dates of birth, Medicare card numbers, medical diagnosis, and “clinical information related to the services that you received from Genea or other health service providers and/or medical treatment”.
Read more at ABC.
Genea is being criticized by patients and others for the 5-month delay in notifying patients about the scope of the breach and that their data has been leaked. Nor has Genea revealed the number of patients affected and whether any ransom was paid.
The fact that Termite leaked all of the data in a 50-part archive that anyone can freely download is a strong indicator that Genea did not pay any ransom or extortion demands.
Although downloading from the darkweb is generally slow, Termite also leaked a file tree, which means that anyone can download a list of all of the files that are in the data dump to scan for particular names or keywords. Inspection of the file tree reveals many files that appear to contain patient names and records, all in plain text and unencrypted.
In its notification, Genea reportedly writes, in part, that the patient data was found on “a part of the dark web, which is a hidden part of the Internet” and “not readily searchable or accessible on the Internet”. Is that supposed to be reassuring to patients? Anyone with a smidgeon of knowledge about ransomware attacks and dark web leak sites knows exactly where to look on the clear net to find out (1) what gang claimed responsibility for the Genea breach, and (2) what their .onion address is on the dark web. Downloading the Tor browser is free, and then simply pasting the onion address into the browser, just as you would with Chrome or your favorite browser, will take you to the dark web leak site and the data that can be freely download.
[DataBreaches would warn readers that such sites may contain malware embedded in files, but then, that is also true these days on the clear net.]