Bloom Hearing Specialists, which operates about 280 hearing clinics across Australia including more than 70 in Queensland, has written to customers warning that their personal details “have been (or will soon be) published on the dark web by the threat actor”.

The Melbourne-based company said it became aware of a “ransomware attack” on its retail operations including Bloom Hearing Specialists, TotalCare Hearing, Chris Laird’s YP Audiology, HearClear Audiology and Brad Hutchinson Hearing on July 5.

“We have since verified that there was unauthorised access by the threat actor and that they have stolen data from our network,” the company said in a letter received this week by one concerned Queensland client.

“There is an ongoing risk that the threat actor may publish the stolen data or disclose it to unknown third parties.

“We understand that some or all of the stolen data has been (or will soon be) published on the dark web by the threat actor.

“We encourage individuals and organisations not to look for the stolen data on the dark web. Doing so encourages criminal activity, may cause further harm to affected individuals and may put you at risk of committing cybercrime.”

Bloom said the stolen data included the name and address of clients and may also include email addresses, phone numbers, dates of birth, gender, health and insurance information, bank details, Medicare and Centrelink numbers and driver’s licence details.

“Due to the volume and complexity of the data which has been stolen, it is not practicable for us to confirm the extent to which these additional kinds of personal information are concerned in your individual case,” the letter said.

“Investigations are ongoing and, if we confirm that other kinds of personal information have been stolen by the threat actor, we will provide you with a further update where required by law.”

Bloom said it had taken immediate steps to contain and secure IT systems, “and our response team is working hard to investigate and identify what personal information has been affected”.

“We have notified the incident to the Office of the Australian Information Commissioner, the New Zealand Office of the Privacy Commissioner and law enforcement in both countries and will continue to liaise with those authorities as appropriate,” it said.

“We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused.”

It’s the latest data breach to hit Australia after cyber-attacks on the likes of Optus, Medicare and finance company Latitude.