Audiology services provider Bloom Hearing Specialists has been hit by a ransomware attack, with confidential information of current and former patients and staff exposed.
The breach occurred on July 5, and the company, which operates hundreds of clinics around Australia and New Zealand under its own brand and other brands including HearClear Audiology and Brad Hutchinson Hearing, published an “important security update” on its website on July 9.
However, customers told The Epoch Times they only received email notifications from the company, owned by Active Hearing Pty Ltd., on Aug. 22.
While T&W Medical ultimately owns the company, neither the name T&W Medical nor the Australian Company Number supplied for it appear on the ASIC or Australian Business Register databases.
Aside from the notice to customers, sent by email and published on its website, the company has not made further statements about the attack.
Customers have reported that the company’s contact number appears disconnected, and some say their emails to Bloom Hearing’s support have so far gone unanswered.
Affected customers are being advised to contact ID Care, a charity offering identity and cyber support services in Australia and New Zealand, which provides general recommendations and further guidance.
The ransomware attack encrypted data on several of the company’s systems and Bloom Hearing has advised customers that “there is a risk that the threat actor may publish the stolen data or disclose it to unknown third parties.”
The people affected are not just current customers, but also former and prospective clients, making it one of the most extensive to date.
The stolen data includes names, addresses, phone numbers, birth dates, gender, health information (including audiograms and other hearing loss information, notes, and other patient records), insurance (including account details and claims), and financial details (including bank account details).
Also now in their possession are people’s government-related identifiers (including Medicare numbers, Centrelink, DVA, ADF, NDIS, and Drivers Licence numbers) and details of other contacts and their relationships to patients (including powers of attorney and next of kin).
Similar information relating to current and former employees was also taken, along with their tax file numbers and details of their salaries. Personal information of healthcare professionals, other contacts, and vendors, including the financial information of suppliers, may also be involved.
Bloom Hearing stated that it took “immediate steps to contain it and secure our systems” once the breach was discovered. However, The Epoch Times has seen emails from customers questioning the over-month-long delay in notification, expressing concerns about the increased risk of phishing attacks during that period.
As of yesterday, the company said its response team “is working hard to investigate and identify what personal information has been affected,” and it has notified the Office of the Australian Information Commissioner, the New Zealand Office of the Privacy Commissioner, and law enforcement in both countries.
The statement concludes with an explanation of the support available through ID Care, and a list of mental health support lines for those distressed by the breach.
The company also trades under TotalCare Hearing and Chris Laird’s YP Audiology.
More details are expected as the investigation continues.
