Monash IVF Group says it has been subject to a “malicious cyber attack” targeting its email system.
Group chief executive Michael Knaap said that attackers “appear to have accessed and copied some emails” but early investigations have not revealed any indication that Monash’s confidential patient database had been accessed. The CEO said that the database is stored on a separate system from Monash's email server.
Knaap said that “a team of forensic IT experts are working as quickly as they can to ascertain the exact nature of the attack.”
The ABC was the first outlet to report details of the breach.
Monash said it was in contact with the Office of the Australian Information Commissioner (OAIC) and industry regulators.
“We are also communicating and working with the individuals who may have been affected by the incident,” Knaap said.
“We understand that our patients and stakeholders may be concerned by this incident. Monash IVF takes its patients’ privacy and data extremely seriously and is working thoroughly in its investigation to ensure those affected by the incident are informed.”
The CEO said that “IT experts” were investigating the details of the breach before the Monash provided “further definitive information”.
“We will continue to communicate with patients as we learn more,” he said.
Monash IVF patients who are concerned can email the company at support.team at monashIVF.com
Monash launched in 2008 with the acquisition of Repromed in South Australia and the Northern Territory. It has since expanded to have a presence in Victoria, Queensland, NSW and the ACT, as well as Malaysia. (The group also has a cooperative agreement with a Chinese hospital.)
For the 12 months to 30 June 2019 it reported underlying net profit after tax of $20.9 million, down 2.3 per cent on the prior year, on revenue of $152 million, up 0.9 per cent.
During FY19, PricewaterhouseCoopers, “performed certain internal control procedures on IT cyber security and risk review,” according to the company.
A third-party review of cyber security risk was conducted during FY18 and FY19, with the company indicating that recommendations from that review “continue to be implemented and will further enhance cyber security measures in place,” according to Monash’s annual report, released late last month.
In its most recent report on Notifiable Data Breaches (NDB), the OAIC revealed that between 1 April 2019 and 30 June 2019 it received 245 notifications under the scheme.
Private health service providers were the top sector to report breaches to the OAIC, accounting for 47 of the notifications. The majority of those – 25 – related to human error. The remainder, however, related to malicious or criminal attacks.