Thousands of New Zealanders have been alerted to a significant data breach at Bloom Hearing Specialists, a chain of hearing clinics. The breach, which occurred in July, resulted in the theft of sensitive information, including bank account details, patient records, and insurance information. This data is feared to be published on the dark web soon.

Bloom Hearing Specialists issued an online alert on August 27, warning that the stolen data might be disclosed to unknown third parties. They advised against searching for the stolen data on the dark web.

Despite the severity of the breach, it has not received significant coverage in New Zealand media, unlike in Australia. Bloom operates 21 clinics across New Zealand, and all affected customers have been notified.

The breach raises concerns about increased fraud risks, extortion, and identity theft. An Australian report suggested that the volume of stolen data could be “astounding” and indicated potential legal breaches regarding the retention of personal data.

Bloom has informed the New Zealand police and the Privacy Commissioner about the incident. The National Cyber Security Centre in Wellington declined to comment on specific incidents.

A customer expressed frustration on Geekzone, highlighting the excessive amount of information collected for a hearing test and the vulnerability of older individuals affected by the breach, stating

Just received this and felt really angry that so much information is being collected for a hearing test and the type of people who will be affected by this, mostly older I would imagine.”

Bloom has warned of potential phishing attempts and provided extensive advice on protective measures. They assured that immediate steps were taken to secure their systems and are continuing their investigation. The company apologised for any distress caused by the incident.

The alert from Bloom Hearing Specialists detailed an extensive list of potentially stolen data, including names, addresses, contact details (such as email addresses and phone numbers), dates of birth, gender, health information (including audiograms and other hearing loss data), appointment details and notes, patient records, insurance information (including account details and claims), other funding sources (such as eligibility for workers’ compensation and government assistance), financial information (including bank account details), and government-related identifiers (such as Medicare numbers, Centrelink numbers, DVA numbers, ADF numbers, NDIS numbers, and driver licence numbers). It also included details of other contacts and their relationships to patients, such as powers of attorney and next of kin.

Additionally, the alert listed data of current and former employees and contractors of Bloom and its associated companies, including Active Hearing Pty Ltd, HearClear Audiology Pty Ltd, Hutchinson Audiology Clinics Pty Ltd, WS Audiology ANZ Pty Ltd, and Widex Australia.

Personal information of other individuals, such as healthcare professionals, other contacts, and vendors, may also be involved. This includes names, contact details (including email addresses and phone numbers), addresses, physician numbers, relationships of other contacts to individuals, and financial information of vendors (including bank account details).

In Australia, Bloom operates hundreds of clinics under various brands. Cybersecurity expert Sadiq Iqbal from Check Point Software Technologies told The Canberra Times that this breach could put Bloom Hearing in violation of the Privacy Act, which mandates the destruction or de-identification of personal information that is no longer needed. He described the amount of compromised data as “quite astounding.”

Media has contacted Bloom, the police, and the Privacy Commissioner for comments. The Privacy Commissioner’s office noted that Bloom’s public notice on August 21 was their official acknowledgement of the breach. They stated that Bloom Hearing must investigate to fully determine the breach’s size and scope and its impact on New Zealand clients.

Bloom is expected to inform affected individuals. The Privacy Commissioner’s office emphasised its role in advising agencies on minimising harm to impacted individuals. It referred people to ownyouronline.govt.nz for more information.

Media has sought further comments from Bloom, the police, and the Privacy Commissioner.