Cyber Incident Victim: Family Planning NSW
Date:
Apr 2018
Location:
Australia
Summary
A ransomware attack compromised personal information of approximately 8,000 clients who used online appointment or feedback services with a reproductive health organization over a two-and-a-half-year period. The breach targeted web databases containing contact details and feedback forms, though internal medical records remained secure. Attackers demanded bitcoin ransom during the incident, which was contained shortly after detection with no subsequent evidence of data misuse. The organization took its website offline pending security reviews while notifying affected individuals that sensitive medical information was never at risk. This incident occurred amid broader cybersecurity challenges for Australian health service providers, which accounted for nearly a quarter of recent data breach notifications to regulators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 25, 2018, Family Planning New South Wales (FPNSW), a not-for-profit organization providing reproductive and sexual health services across five clinics in Ashfield, Dubbo, Fairfield, Penrith, and the Hunter region, experienced a ransomware attack compromising online databases containing client information. The breach occurred on Anzac Day, with attackers accessing appointment scheduling and feedback forms submitted through the organization’s website over the preceding two-and-a-half years. Approximately 8,000 clients who had interacted with these online services were potentially affected, though FPNSW confirmed no internal medical records systems—which store more sensitive health data—were breached. Criminals deployed ransomware, encrypting data and demanding payment in Bitcoin to restore access. FPNSW contained the incident swiftly, securing all web database information shortly after the attack and initiating a comprehensive security review. The organization took its website offline indefinitely pending completion of internal testing and security enhancements, prioritizing system integrity before restoring public-facing services.
FPNSW notified potentially impacted clients via email, clarifying that compromised data was limited to information submitted through online forms—such as personal contact details—and reiterating that clinical medical records remained isolated from the breach. The organization emphasized no evidence suggested attackers had misused the accessed data. As part of its response, FPNSW engaged in a thorough review of its information security protocols to rebuild client trust, acknowledging concerns while underscoring the separation between its web-facing systems and internal medical databases. The incident contributed to a broader trend of health sector targeting, with the Office of the Australian Information Commissioner (OAIC) reporting 15 health service provider breaches among 63 total notifications in the six weeks surrounding the event. Health data was implicated in 33% of these cases, though FPNSW, as a not-for-profit with annual turnover below AU$3 million, was exempt from mandatory reporting under Australia’s Notifiable Data Breaches (NDB) scheme. The attack highlighted operational vulnerabilities in web-based client interaction systems while leaving core medical infrastructure unaffected.