Bloom Hearing hit by ransomware, exposes sensitive data of patients
Learn More
Bloom Hearing Specialists, an audiology services provider operating numerous clinics across Australia and New Zealand, is reporting a ransomware attack and data breach.
The breach, which occurred on July 5, 2023, compromised sensitive data belonging to current, former, and prospective patients, as well as staff members. The ransomware encrypted data on several systems, and Bloom Hearing warned that the threat actors could leak or sell the stolen information to third parties.
The stolen data is extensive, including:
- Names
- Addresses
- Phone numbers
- Dates of birth
- Gender
- Health information (audiograms, hearing loss details, patient notes, etc.)
- Insurance details (account information and claims)
- Financial information (bank account details)
- Government-related identifiers (Medicare numbers, Centrelink, DVA, ADF, NDIS, and driver’s license numbers)
- Relationship details (powers of attorney, next of kin)
- Additionally, the breach involves similar information for current and former employees, such as tax file numbers, salary information, and vendor financial details.
- The attack also potentially exposed personal data of healthcare professionals and suppliers.
The number of affected individuals is not disclosed.
Despite discovering the breach early in July, the company delayed notifying affected individuals until August 22, raising concerns among customers about the prolonged exposure and heightened risk of phishing attacks.
Questions are also being raised regarding the company’s compliance with data retention laws. Experts suggest that Bloom Hearing may be in violation of the Privacy Act, which mandates the destruction or de-identification of personal information no longer required.
Bloom Hearing has notified relevant authorities, including the Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner, as well as law enforcement agencies in both countries. The company has also offered support services, including ID Care and mental health resources, to those impacted.
Update - As of 1st of October 2024, Bloom Hearing Specialists report that the stolen data, including bank account details, patient records, and insurance information, has been or may soon be published on the dark web. The company warned of an ongoing risk that the threat actor could release or share the compromised data with third parties.
