Cyber gangs are stepping up their attacks on Australian health companies, with IVF provider Genea the latest victim – with hoards of sensitive patient data from couples struggling to conceive stolen and published on the dark web – after similar strikes against Medibank and MediSecure.

US cyber security company Proofpoint said healthcare services were particularly vulnerable, with 23 per cent of Australia’s “top-ranked” hospitals falling short on “basic cybersecurity measures”.

Steve Moros – senior director of Proofpoint’s Advanced Technology Group for Asia Pacific and Japan – said the attacks were likely to continue.

“The healthcare industry has become one of the most targeted sectors for cyber criminals due to the highly valuable data it stores, including patient identities, bank account details, and medical history, combined with limited resources focused on staying operational to provide patient care,” Mr Moros said.

For private hospitals, negotiations with their main funders, private health insurers, have become increasingly tense as they battle high inflation. St Vincent’s threatened to walk away from its deal with NIB, before striking a 11th hour agreement last August.

Australia’s second biggest private hospital operator Healthscope – owned by Canadian private equity titan Brookfield – has also cancelled contracts with Bupa, and the Australian Health Services Alliance – which represents soldiers, teachers, nurses and police officers – in November. Healthscope has also defaulted on its rent payments, underlining its financial woes.

Private equity firm Liverpool Partners acquired Genea, Australia’s third biggest IVF provider, for $202m in 2022. It reported a $2.96m loss in the 2023 financial year off $97.5m revenue.

Chief executive Tim Yeoh said “data taken from our systems appears to have been published externally”. Ransomware group Termite claims to have carried out the attack, stealing more than 940GB of sensitive patient data before publishing it on the dark web.

In his sixth and most chilling threat assessment so far, ASIO director-general Mike Burgess warned Australians last month of unprecedented dangers, rating the nation’s future threat environment as more difficult than anything seen in at least 50 years.

Mr Moros said email remains the primary attack vector. He said while the pandemic accelerated healthcare’s digital transformation through telehealth adoption in Australia, it significantly expanded the cybersecurity attack surface while organisations simultaneously face cybersecurity talent shortages.

He said protection like Domain-based Message Authentication, Reporting and Conformance (DMARC) – which allows companies to protect their domains from unauthorised access and usage – was critical in helping prevent attacks.

“With more large-scale cyberattacks affecting Australian healthcare organisations including MediSecure and most recently Genea, implementing robust email security protocols like DMARC adds a critical layer of protection.”

Mr Moros said most hospitals were using some form of DMARC but only 64 per cent deployed the “strongest reject policy” and 23 per cent still used “ insufficient protection, potentially exposing patients, staff and stakeholders to email fraud”.

“We’re encouraged by the improved DMARC adoption across Australian top hospitals, but a significant security gap remains.

“For healthcare institutions, strong cybersecurity isn’t just about protecting patient data, it directly impacts the quality of care Australians receive. Implementing DMARC at its highest protection level provides essential defence against email threats targeting these critical organisations.

Originally published as IVF cyber attack ‘just the beginning’, US security group warns