Audiology services provider Bloom Hearing Specialists has experienced a ransomware attack, resulting in the exposure of confidential information belonging to current and former patients as well as staff members. The breach occurred on July 5, and the company, which operates numerous clinics across Australia and New Zealand under various brands including HearClear Audiology and Brad Hutchinson Hearing, issued an “important security update” on its website on July 9. However, customers claim that they only received email notifications from the company, owned by Active Hearing Pty Ltd., on August 22.
The company responsible for Bloom Hearing Specialists is ultimately T&W Medical; however, neither the name T&W Medical nor its Australian Company Number can be found in the ASIC or Australian Business Register databases. Apart from notifying customers via email and publishing a notice on its website, Bloom Hearing has not released any further statements regarding the attack. Customers have reported difficulties contacting the company’s support team as phone calls go unanswered and emails remain unaddressed.
Affected individuals are advised to reach out to ID Care, a charity offering identity and cyber support services in Australia and New Zealand. ID Care provides general recommendations and further guidance for those affected by such incidents. The ransomware attack encrypted data stored within several of Bloom Hearing’s systems. The company has warned customers that there is a risk of stolen data being published or disclosed to unknown third parties by threat actors.
The compromised data includes personal details such as names, addresses, phone numbers, birth dates, gender information along with health records like audiograms and other hearing loss-related information. Insurance details including account information and claims were also exposed alongside financial particulars like bank account details. Additionally, government-related identifiers such as Medicare numbers along with contact details of other individuals associated with patients were obtained.
Former employees’ personal information was also compromised including tax file numbers (TFNs) along with salary details. Healthcare professionals’ personal data was affected too along with financial information pertaining to suppliers/vendors involved with Bloom Hearing Specialists.
Bloom Hearing stated that immediate action was taken upon discovering the breach in order to contain it and secure their systems; however some customers have expressed concerns about the delay in notification which lasted over a month during which phishing attacks could potentially occur more frequently due to increased vulnerability.
The company has informed relevant authorities including the Office of the Australian Information Commissioner (OAIC), New Zealand Office of Privacy Commissioner (OPC), as well as law enforcement agencies in both countries about this incident. Mental health support lines have been provided for those distressed by this breach alongside assistance available through ID Care.
In addition to its own brand name – Bloom Hearing Specialists – TotalCare Hearing and Chris Laird’s YP Audiology are also trading names associated with this audiology services provider.