A ransomware attack on Family Planning NSW two weeks ago has potentially exposed the personal information of up to 8000 people, including women who sought information on abortions and contraception, but the reproductive and sexual health organisation claims medical records were never under threat.
Clients received an email from Family Planning NSW’s chief executive Adjunct Professor Ann Brassil and chair Sue Carrick yesterday morning alerting them to the data breach, which “may have compromised our online databases”.
In the attack on ANZAC Day, the hackers demanded a $15,000 ransom be paid in bitcoin.
“These databases contained information from clients who had contacted Family Planning NSW through our website in the past two-and-a-half years, seeking appointments or leaving feedback,” the email said.
The organisation refused to pay the ransom and the cyber crims disappeared.
“Since the attack, we have had no evidence that this information has been used by the cyber-attackers.”
[Read more: Healthcare suffers almost a quarter of data breaches, as reports skyrocket under mandatory notification scheme | Legal advice for healthcare as the notifiable data breach scheme is set to take force]
The not-for-profit organisation, which is currently receiving a security update to its website, said it was one of several agencies targeted via software.
The Office of the Australian Information Commissioner said it was notified by Family Planning NSW about the incident.
The Notifiable Data Breaches scheme, which commenced on 22 February 2018, requires organisations to notify affected individuals and the OAIC where there is a likely risk of serious harm to any of the individuals whose personal information is involved in the data breach.
In its first report following the introduction of the scheme, the OAIC said in April that 24 per cent of breaches had occurred in the healthcare sector.