The personal information of clients of a family planning service could have been compromised in a cyber-attack and ransom demand on Anzac Day.
Family Planning NSW (FPNSW) said medical records were not accessed in the breach. However, databases containing information from clients who had contacted Family Planning NSW seeking appointments or leaving feedback over the past two-and-a-half years may have been revealed.
“We understand that as a client who may have provided personal and/or health information through the appointment or feedback forms, you may be concerned by the potential breach,” the organisation said in an email to clients.
“We’d like to reassure you again this form does not connect to our internal medical records.”
Clients can rest assured all web databases are now secure and there have been no further threats from the cybercriminals. More sensitive medical records held by our organisation and its clinical staff were never under threat,” FPNSW’s chief executive, Adj Prof Ann Brassil said.
The Australian Federal Police have been notified.
The email was sent to about 8,000 clients who had used the online form to contact FPNSW. A spokeswoman said any personal information compromised in the attack would depend on what the client had submitted in the form, but could include names, emails, phone numbers and any other information added, including the reason for seeking an appointment.
FPNSW said it was one of several agencies targeted in the attack on 25 April, by “cybercriminals requesting a bitcoin ransom”.
The website was not secured until 10am the following day, it said.
“The safety of client information continues to be a top priority for us and we hope to have our website back online after we complete an external security review and internal testing,” Brassil said.
The public and clients were not informed until Monday. A Facebook message on 26 April noted the website was down, and told people it was getting a “security update”. The same message remained on the website on Monday.
FPNSW’s email said the site would be back online following an external security review and internal testing.
Brassil was expected to address the media on Monday afternoon.