Hundreds of patients of fertility services provider Genea Pty Ltd are seeking compensation after a major data breach earlier this year exposed sensitive medical and financial information on the dark web.
Class-action law firm Phi Finney McDonald has filed a representative complaint with the Office of the Australian Information Commissioner (OAIC), alleging Genea failed to meet its obligations under the Privacy Act 1988 (Cth) to protect personal information from unauthorised access, loss or misuse.
“Patients at Genea expected their highly sensitive medical, personal and financial information on the company’s systems to remain private and confidential,” said Olivia McMillan, principal lawyer at Phi Finney McDonald. She added the firm had been “contacted by hundreds of impacted people who were distressed that their personal information had been accessed by unauthorised third parties”.
What happened
In February 2025, Genea reported suspicious activity on its network and later confirmed that an unauthorised party had accessed and published patient information online. The data included names, addresses, Medicare and insurance details, medical histories, pathology and diagnostic results, clinicians’ notes and financial records.
By July, the company had begun contacting affected patients directly to confirm the extent of the breach. Cybersecurity experts have since questioned the delay in notifications and transparency around how the breach occurred.
The OAIC complaint contends that Genea failed to take reasonable steps to secure its systems and did not destroy or de-identify information when it was no longer required. The firm is encouraging impacted individuals to register for updates through its website.
A wider reckoning for IVF providers
The complaint against Genea adds to growing scrutiny of Australia’s fertility industry, following a series of high-profile safety and governance failures at Monash IVF Group earlier this year.
Read more: Inside Biotech: Monash IVF board flexes the bonus hammer after embryo-transfer crises
Those incidents — involving two separate embryo transfer mix-ups, the resignation of the company’s CEO and calls for tighter national regulation — have already prompted a review of standards and oversight across assisted reproductive technology (ART) providers.
The Genea case also highlights the regulatory challenges in protecting health-sector data at a time of rising cyber threats. Healthcare accounted for the largest share of notifiable data breaches in Australia last year, according to the OAIC.
For fertility providers, the fallout could extend beyond reputational damage. Regulatory reform, stronger data-governance requirements and heightened investor scrutiny now appear inevitable as the sector faces what many see as its most serious test of trust to date.
