Thousands of customers of a hearing clinic chain in New Zealand have been warned about a ransomware attack that has stolen masses of sensitive data.
Bloom Hearing Specialists said some or all of the stolen data had been, or soon will be, published on the dark web.
In an online alert, it said the hacked data may include bank account details, patient records and insurance information.
"There is an ongoing risk that the threat actor may publish the stolen data or disclose it to unknown third parties," Bloom said online on 27 August.
"We understand that some or all of the stolen data has been (or will soon be) published on the dark web. We encourage individuals and organisations not to look for the stolen data on the dark web."
This made news reports in Australia, but not in New Zealand, where Bloom has 21 clinics.
A spokesperson confirmed on Thursday afternoon to RNZ that all customers in New Zealand had been alerted.
The breach might increase the odds of being targeted for fraud, extortion or identity-related crimes, Bloom said.
An Australian media report said the amount of stolen data could be "astounding" and Bloom might have breached the law around retaining personal data of former patients and staff.
Bloom was hacked in July, put out alerts in late August and has written letters to thousands of customers, its alerts show.
It had also notified the New Zealand police and Privacy Commissioner, it said.
The National Cyber Security Centre in Wellington told RNZ it did not comment on specific incidents or regarding "if we are involved or not", and this would have to come from the company.
A person who got a letter from Bloom posted on website Geekzone: "Just received this and felt really angry that so much information is being collected for a hearing test and the type of people who will be affected by this, mostly older I would imagine."
The company further warned: "You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to them."
It published a long list of advice on steps to take and how to respond.
"As soon as we became aware of the incident, we took immediate steps to contain it and secure our systems," Bloom said. It was still investigating.
"We sincerely apologise for any distress this incident may have caused."
'Astounding' privacy breach
The list in the alert of what data may have been stolen was very long, "including name, address, contact details (including email addresses and phone numbers), date of birth, gender, health information (including audiograms and other hearing loss information, appointment details and notes and other patient records), insurance information (including account details and claims), other funding source information (including eligibility for workers compensation and government assistance), financial information (including bank account details), government related identifiers (including Medicare numbers, Centrelink numbers, DVA numbers, ADF numbers, NDIS numbers and Driver Licence numbers) and details of other contacts and their relationships to patients (including powers of attorney and next of kin)".
Another long list followed of the data of current and former employees and contractors of Bloom and its parent/sister companies Active Hearing Pty Ltd, HearClear Audiology Pty Ltd, Hutchinson Audiology Clinics Pty Ltd, WS Audiology ANZ Pty Ltd and Widex Australia.
"Some personal information of other individuals (such as healthcare professionals, other contacts and vendors) may also be involved including names, contact details (including email addresses and phone numbers), addresses, physician numbers, relationships of other contacts to individuals and financial information of vendors (including bank account details)."
In Australia, it had hundreds of clinics under various brands.
The Canberra Times quoted cyber security expert Sadiq Iqbal at Check Point Software Technologies saying this could put Bloom Hearing in breach of the Privacy Act, which requires companies to destroy or de-identify personal information that is no longer needed.
"The amount of data [Bloom Hearing] has listed that's been compromised is quite astounding."
RNZ has approached Bloom for comment, as well as police and the privacy commissioner.
The office of the Privacy Commissioner said an August 21 post by Bloom was their public notice of the breach.
"As with any breach, Bloom Hearing will need to investigate to fully ascertain the size and scope of the breach and any impact on its New Zealand clients," the OPC said on Wednesday afternoon.
Bloom was expected to inform people.
"Our focus in this situation is to provide agencies who have experienced a breach with advice on how to minimise the harm on any individuals impacted."
It referred people to ownyouronline.govt.nz
RNZ has approached Bloom for comment, as well as police.