The personal information of up to 8000 patients has been compromised in a cyber-attack on Family Planning NSW (FPNSW).
Cyber criminals demanded a $15,000 bitcoin ransom when it targeted the reproductive and sexual health provider on Anzac Day. The website was secured 10am the following morning, an apology email sent to patients almost three weeks later said.
FPNSW services include pregnancy advice and abortion referrals, contraception – including the implantation and removal of IUDs and the contraceptive implant – STI testing, gynaecological exams, menstruation and menopause management, fertility advice, cervical screening, breast awareness and men’s sexual health.
Its online appointment and feedback forms were exposed in the attack, according to the email to patients on Monday morning.
The level of patient information exposed in the attack would vary fom patient to patient, depending on how much detail was provided in the online form. For example, some patients may have detailed the purpose of their appointment down to STI symptoms, type of contraception sought or abortion plans.
“Since the attack, we have had no evidence that this information has been used by the cyber-attackers,” the email to patients said.
“We understand that as a client who may have provided personal and/or health information through the appointment or feedback forms, you may be concerned by the potential breach.”
The form did not connect to internal medical records, and FPNSW is conducting a review of its information security. The website was pulled on April 26 for a security upgrade, and is expected to be back up once an external security review and internal testing is completed.
“All web database information has been secure since this time and more sensitive medical records held internally were never under threat,” the email said.
“The situation is now contained and there have been no further threats. We will have our website back online after external security review and internal testing.”
FPNSW has clinics in Sydney suburbs Ashfield, Fairfield and Penrith, as well as Newcastle and Dubbo. The clinics have more than 28,000 visits annually.
“At our clinics it’s business as usual and it’s important that people who need reproductive and sexual health services are not deterred by this,” the agency said.
FPNSW, the largest reproductive and sexual health provider in the state, also runs a confidential telephone and email information and referral service.
CEO Ann Brassil said it was one of several agencies targeted, and there had been no further threats from the attackers who were “financially motivated”.
Ms Brassil said the attack did not appear to be on FPNSW, but a vulnerability in the software the website was built on.
Australian Federal Police has been notified and FPNSW is working with the Office of the Australian Information Commissioner.
Concerned clients can contact Family Planning NSW’s dedicated hotline on 1800 957 860 or request more information at firstname.lastname@example.org