Genea Fertility Data Breach: Donors Face Potential Blackmail Threats

Share this @internewscast.com

When Isaac (not his real name) was asked by some close friends to be their sperm donor, he experienced a wave of introspection.

“You kind of feel like you’re a bit of produce which has been selected [for] your genetic characteristics,” he says.

“And that’s an interesting thing, which makes you go to the depths of your own self-confidence.”

Isaac ultimately decided he wanted to help the couple and agreed to go ahead with the donation through Genea Fertility, one of Australia’s largest IVF clinics.

Isaac says the couple decided to go to Genea because of its welcoming staff. Credit: https://www.genea.com.au

In vitro fertilisation — or IVF as it is commonly known — is becoming increasingly popular in Australia, with one in every 18 births now resulting from the treatment.

In preparation for the donation, staff at Genea asked Isaac several probing questions about his medical history and conducted a series of psychological assessments.

You go through the longest form I’ve ever been through in my life. Any diagnosis you’ve had, any medication you’ve had.

“The staff there were really, really lovely, and particularly given the awkwardness of a sperm donation, they’re adept at handling that.”

He also disclosed information about his and his family’s health data and biological traits.

“This is some of the most sensitive information about me,” he says.

“[My family] has mental health issues, and medication could be quite a lifesaver. I have a history of taking medication since I was 17 years old. It’s still highly stigmatised.

“I also have a family history of autoimmune disease.”

With Isaac’s donation, the couple successfully conceived their first child.

But the joy he initially felt in helping his dear friends start a family has been mixed with frustration and anger.

The data he shared with Genea has been leaked online, leaving Isaac vulnerable to potential exploitation and blackmail.

Intimate data stolen

In February, Genea informed Isaac via email that his data was among a batch that had been breached by cybercriminals and posted to the dark web.

The exposed data includes those clients’ medical histories, diagnoses and treatments, medications and prescriptions, as well as pathology and diagnostic test results.

Not only could Isaac be at risk of being defrauded or blackmailed, but so too could any children conceived via his sperm, including his friend’s newborn.

Four months after first learning of the breach, Isaac says he feels left in the dark about what Genea is doing to protect customers from hackers and scammers.

“It was supposed to be a good deed. It’s almost like you’re being punished because your information was held on a computer system,” he says.

“I don’t know what the next step is, but having some information about what the f–k’s happening is probably a good bloody step.”

Genea declined to be interviewed by SBS News, instead deferring to a page on its website where the company is providing updates about the breach to customers.

“Our teams and cybersecurity experts are working hard to urgently review the impacted data. This is a detailed and complex process which will take some time to complete to ensure we can clearly understand the nature and extent of data that has been published and identify impacted individuals,” a statement on the site reads.

Graphic art of a silhouette of a hooded figure surrounded by personal documents

Information from clients of Genea was posted on the dark web after the data breach in February. Credit: Getty

Isaac has emailed the clinic directly, frustrated at what he says is a lack of transparency with customers.

“[Genea is] one of the top three IVF fertility specialists, you’d expect them to have really good security systems — and I assumed they did,” he says.

You don’t really feel confident in their ability to investigate if you have no idea what they’re investigating.

“I just want information about why this has happened. I’m just going in blind here.”

How data can be used against you and your children

Professor Dali Kaafar, executive director of Macquarie University’s cybersecurity hub, says cybercrime goes beyond bank fraud.

“If they actually sense some form of vulnerability with their victim, for instance, the victim is trying to hide some sort of information from [their] employer or from their families, they’ll probably try to leverage that in a form of blackmail,” he says.

Kinds of personal information involved in breaches

Consumer Data Right information only recorded one breach, and there were no breaches of Digital ID information or documents. Source: SBS News

Information such as a history of prescription medication can fetch a good price on the dark web, explains Kaafar, as the more a criminal knows about a victim, the more damage they can cause.

“They are capable of recreating a whole digital identity of the individual that they’re attacking or targeting,” he says.

“They could make false claims in their name to insurance [companies] or to the banks, or potentially even in this case with health insurance.”

As Isaac is close with the couple who conceived via his donation and is an active part of their child’s life, this information breach could also be used against them.

“This potentially impacts my life, but it also impacts the life of the next generation,” he says.

Cyberattacks are on the rise

Australia witnessed a record number of data breaches in 2024, according to Office of the Australian Information Commissioner, the privacy watchdog, with health service providers representing the highest number of breaches.

Meanwhile, the IVF industry is generating huge income.

Genea and two other companies — Monash IVF and Virtus — account for more than 80 per cent of the industry’s total revenue, which is predicted to reach $810 million this year.

Monash IVF was also the target of a malicious cyberattack in 2019, when its email server was breached and customers received scam emails appearing to be from the clinic.

Professor Toby Murray, from the school of computing and information systems at the University of Melbourne, says the overall trends are not surprising.

“There is increased malicious activity, there’s more hacking going on, there’s more data being stolen. Some of that’s because there’s just more data,” he says.

Businesses are collecting more and more data, and it’s more and more valuable. And so, there’s more reason for malicious actors to want to steal that data.

However, he also says increased reporting could be a good thing, as it signals that data breaches are becoming more detectable than in previous years.

Health-related scams are becoming more sophisticated

Kaafar says health data held by companies like Genea can be the most “valuable” to criminals.

“Health providers handle obviously vast amounts of highly sensitive personal information, not only the medical histories or the diagnosis, but things like contact details of patients and so on.

“So it makes them immediately attractive targets for cybercriminals.”

He predicts that fertility clinics will continue to be the targets of cybercrime, adding that, with the evolution of artificial intelligence, the ramifications are hard to imagine.

“You could create things that really look very, very real and very realistic, you could create counterfeits just in two seconds — literally,” Kaafar says.

“They can be exactly what your official and formal documentation could look like.”

‘Taken my agency away’

The weaponisation of technologies, such as AI, poses a serious risk to people like Isaac.

“What happens if I get a job [that] is relatively high profile or dealing with sensitive activity?” he asks.

INTERVIEW: Record numbers of malicious data breaches recorded - how do you protect yourself? image

“Could this open me up to not getting employed because an employer might’ve found my internet history, and maybe they had ethical concerns or concerns with my health record?”

It’s not just the potential to be scammed or blackmailed that he’s worried about.

“There are lots of bits and pieces which we all choose to disclose or not disclose as we go about our day. And if that information is out there, it’s taken away my agency and my choice to disclose that information if I want to,” he says.

“That’s only compounded further by the lack of information that I’ve been provided about this investigation and the data breach.”

He wants to see ramifications for the perpetrators of the data breach and for Genea to be held accountable.

“Some things are more sensitive than others, and if you’re at the more extreme end of sensitivity, you want the ramifications to be higher and you also want to make sure there’s [an] incentive to not have this happen again.”

Can victims be compensated?

Unlike financial fraud, where victims can demonstrate losses in dollar figures, the value placed on privacy is subjective.

Faith Gordon, an associate professor of law at the Australian National University, says people impacted by breaches can make legal claims for the breach itself as well as its impact.

Graphic art of a silhouette of a pair holding a baby, a motif of a family court in the background

Associate professor Faith Gordon says there could be grounds for families to make claims for the data breach should they be impacted. Credit: Getty

“There’s a lot of legal and ethical accountability for these clinics,” she says.

“For example, under Australian law — the Australian Privacy Act — there are health data protection requirements and there are medical ethical guidelines as well about informed consent and data protection.”

Gordon explains that claimants can receive compensation for “losses” such as “embarrassment, humiliation and anxiety”.

While Isaac could be entitled to compensation from Genea, the “very specific” rights of donor-conceived children add another level of legal complexity.

“Children conceived through fertility treatment have a right to privacy. Now that can be regarding the conception method, the genetic heritage or donor identities, sensitive medical information, and other details,” Gordon says.

“A data breach could expose very, very personal information, including names and dates of birth and donor status and notes about embryos.

So that can result in significant stigma and psychological harm and potentially future discrimination as well.

As the number of data breaches continues to rise, Gordon says the need for a specific code for children’s privacy is vital.

“Children have very specific rights and very specific vulnerabilities, and these need to be protected, and they also need to be empowered to actually access justice when something does go wrong in this space as well.”