The Termite ransomware gang has claimed responsibility for breaching and stealing sensitive healthcare data belonging to Genea patients, one of Australia’s largest fertility services providers.
The IVF (in vitro fertilization) provider has been operating since 1986 (when it was known as Sydney IVF). It offers a wide range of services, including fertility treatments, tests, genetic services, preservation options, and donor programs, in 22 fertility clinics in New South Wales, South Australia, Western Australia, Melbourne, Canberra, and Queensland.
According to Australia’s national broadcaster, Genea and two other companies (Monash IVF and Virtus) account for over 80% of the industry’s total revenue in the country.
Genea first revealed last Wednesday it was investigated a “cyber incident” after detecting “suspicious activity” on its network. In an updated statement issued today, the fertility services giant confirmed the attackers stole data from its systems, which was later published online.
The company said it obtained a court-ordered injunction to prevent the leaked data from being shared by others, and it’s also working with the Office of the Australian Information Commissioner and the Australian Cyber Security Centre to investigate an incident.
The redacted court order reveals that the threat actors breached Genea’s network on January 31, 2025, through a Citrix server. Subsequently, they gained access to the company’s primary file server, domain controller, backup program, and BabySentry primary patient management system. Two weeks later, on February 14, the attackers exfiltrated 940.7GB of data from Genea’s compromised systems to a DigitalOcean cloud server under their control.
The ongoing investigation also discovered that Genea’s compromised patient management systems contained the following types of personal and health data, with the exposed information varying for each affected individual:
- Full names, emails, addresses, phone numbers, date of birth, emergency contacts, and next of kin,
- Medicare card numbers, private health insurance details, Defence DA numbers, medical record numbers, patient numbers,
- Medical history, diagnoses and treatments, medications and prescriptions, patient health questionnaire, pathology and diagnostic test results, notes from doctors and specialists, appointment details, and schedules.
“At this stage there is no evidence that any financial information such as credit card details or bank account numbers have been impacted by this incident,” Genea added.
“The investigation is however ongoing, and we will keep you updated of any relevant further findings should they come to light.”
A Genea spokesperson has not replied to several requests for comment since the company disclosed the breach on February 19.
Breach claimed by Termite ransomware
While Genea didn’t attribute the attack to a specific threat group or cybercrime operation, the Termite ransomware gang claimed responsibility on Monday.
In a new entry on their dark web leak site, they said they stole roughly 700GB of data and leaked screenshots of identification documents and patients’ files allegedly stolen from Genea’s network.
“We have ~700gb of data from company’s servers such as confidential, personal data of clients,” the threat actors claim.
Termite is a ransomware operation that surfaced in mid-October, according to threat intelligence company Cyjax, and has since listed 18 victims on its dark web portal from all over the world and various industry sectors.
In December, the ransomware gang also claimed to have breached the network of Arizona-based service (SaaS) provider Blue Yonder. This worldwide supply chain software provider has over 3,000 customers, including high-profile companies such as Microsoft, Renault, Bayer, Tesco, Lenovo, DHL, 3M, Ace Hardware, Procter & Gamble, Carlsberg, Dole, Wallgreens, Western Digital, and 7-Eleven.
Like other ransomware gangs, the Termite cybercrime group is involved in data theft, extortion, and encryption attacks. According to cybersecurity firm Trend Micro, they’re using a version of the Babuk encryptor leaked in September 2021 and are known to drop a “How To Restore Your Files.txt” ransom note on the victims’ encrypted systems.
Trend Micro also added that Termite’s ransomware encryptor is still likely a work in progress, as it will terminate prematurely due to a code execution flaw.