Monash IVF patients receive bogus emails after 'malicious cyber attack' on fertility company
Monash IVF Group chief executive Michael Knaap confirmed the company's email system had been targeted, and said a team of forensic IT experts was working to determine how and why the server had been breached.
He said it appeared the patient database was untouched, but investigations were continuing.
"We understand that our patients and stakeholders may be concerned by this incident," Mr Knaap said.
"Monash IVF takes its patients' privacy and data extremely seriously and is working thoroughly in its investigation to ensure those affected by the incident are informed."
Patient says she was not told of breach
Mr Knaap said Monash IVF had contacted affected patients, but one client told the ABC this was not true.
The woman, who asked to remain anonymous, said she had received emails from an account that appeared to be from the company in response to correspondence she had sent her clinicians about recent medical appointments.
But it was from scammers imploring her to open an attachment.
She said she was not advised of the breach by Monash IVF and felt dismissed when she tried to find out what had happened.
The company holds highly sensitive personal data, including her address, date of birth and medical history.
"My chief concern is they'll use this data for something dodgy and that the clinic isn't taking it seriously," the woman told the ABC.
"[IVF is] already a really personal and emotional journey, to have this added stress on top is really unfair."
Monash IVF is attached to fertility clinics in New South Wales, Queensland, Victoria, Tasmania, South Australia and the Northern Territory.
The University of New South Wales Canberra Cyber director Nigel Phair said it was a "very serious" situation.
"There's nothing more sensitive in your life than your health data and this is a particularly doubly sensitive issue for people who are involved in it," Mr Phair said.
"If you can divulge medical records you can do a range of things — anything from identity takeover onwards."
Mr Knaap said Monash IVF had informed the Office of the Australian Information Commissioner of the breach.
According to the agency, health service providers have been among the top three sources of privacy complaints over the past three years, and the leading source of notifiable data breaches since mandatory notification started last year.
Mr Knaap pledged to keep patients in the loop as investigations into the scam continued.
"Due to the extremely complicated nature of these incidents, it is important we allow our IT experts to carefully review the circumstances before providing further definitive information," he said.
By Emily Baker