A national audiologist may have been in breach of the law in retaining the personal data of former patients and staff, now been leaked in a ransomware attack.
This week, Bloom Hearing Specialists confirmed it was the subject of a ransomware attack which has comprehensively compromised personal and medical records of current, former and prospective patients and current and former staff.
The company operates hundreds of clinics around Australia under its own brand and other brands including HearClear Audiology and Hutchinson Audiology clinics.
Cyber security expert Sadiq Iqbal at Check Point Software Technologies said this could put Bloom Hearing in breach of the Privacy Act, which requires companies to destroy or de-identify personal information that is no longer needed.
"The amount of data [Bloom Hearing] has listed that's been compromised is quite astounding," he said.
In a statement published on its website, Bloom Hearing outlined that the ransomware attack had stolen a broad swath of customer and employee data, including:
- Contact details such as name, home address, email addresses and phone numbers,
- Personal information including date of birth, gender, appointment details and patient records,
- Financial information including insurance, workers compensation, bank account details,
- Government identifiers including Medicare, Centrelink, DVA, ADF, NDIS and drivers licence numbers, and
- Information relating to contacts and relationships such as powers of attorney and next of kin.
The volume of data stolen in the hack would open up patients and staff to sophisticated cyber attacks and fraud.
"You could do a lot with people's phone numbers, their bank account, medical card and their driver's licence," Mr Iqbal said.
"That's enough to make a bank account, you could be looking at fraud around Medicare, claiming medical expenses against a person's Medicare card."
Individuals who believe their details may have been stolen are urged to update their passwords and set up two factor authentication, where possible. They should also be alert for text message and email scams over the next few months.
Medical businesses and organisations have become increasingly frequent targets for hackers due to the valuable information they store. High profile hacks such as of Medicare and electronic scripts provider MediSecure have focused attention on the sector.
Bloom Hearing offers hearing services through the federal Health Department's hearing Services Program, which provides subsidised hearing services to veterans, pensioners and their dependents. This enabled the hackers to access patients' DVA and concession card details.
A Department of Health spokesperson said the agency was aware of the hack and directed inquiries to Bloom Hearing.
Mr Iqbal said individual identity numbers such as drivers' licences and Medicare numbers could be sold for hundreds of dollars individually on the dark web, but when combined would increase in value.
While Bloom Hearing did not state that hearing devices were affected in the hack, Mr Iqbal said the increasingly digital nature of the devices meant that hackers could find a way in via a phone or other connected device.
"From what I can see, nothing's going to compromise the workings of the hearing devices, or it won't necessarily disturb in any way the patients in their day to day operations, however it can be used in a number of nefarious ways against them, from more targeted phishing campaigns depending on the kind of people they are," he said.
"Not everyone wants people to know that they're using hearing aids."
Australian individuals and organisations are increasingly being targeted in cyber attacks, with the last annual cyber threat report finding a 23 per cent increase in reports of cyber crime over the 2022-23 financial year.
Mr Iqbal said there was more that could be done to protect users' information, including requiring medical organisations to encrypt sensitive patient data, as is the case overseas.
"It is very hard to ransomware encrypted data, and additional safeguards required to protect patient data and patient information would've helped a lot."