Published: 28 August 2024

Further Important Security Update - 28 August 2024

We regret to inform you that we have become aware of a security incident affecting our retail operations trading as “bloom hearing specialists”, our operations in Australia are also affected.

On 5 July 2024, we became aware of a ransomware attack which encrypted data on several of our systems and impacted a number of our applications. We have since verified that there was unauthorised access by the threat actor and that they have stolen data from our network. There is a risk that the threat actor may publish the stolen data or disclose it to unknown third parties.

Further to our 21 August update below, we understand that some or all of the stolen data has been (or will soon be) published on the dark web. We encourage individuals and organisations not to look for the stolen data on the dark web.  Doing so encourages criminal activity, may cause further harm to affected individuals and may put you at risk of committing cybercrime.

As soon as we became aware of the incident, we took immediate steps to contain it and secure our systems, and our response team is working hard to investigate and identify what personal information has been affected.

We have notified the incident to the Office of the Australian Information Commissioner, the New Zealand Office of the Privacy Commissioner and law enforcement in both countries and will continue to liaise with those authorities as appropriate. We also posted public notices on the bloom website, and promoted it through our social media channels at the time.

Our current understanding is that a range of personal information of:

• prospective, current and former patients of “bloom hearing specialists” which may be involved including name, address, contact details (including email addresses and phone numbers), date of birth, gender, health information (including audiograms and other patient records). Additionally, other personal information potentially affected is your funding source or insurance information (and potentially relevant claim details), financial information (including bank account details), and government related identifiers (including potentially NHI numbers and MSD/WINZ client number) and/or driver’s licence details, and potentially details of other contacts (including powers of attorney and/or next of kin); and
• current and former employees and contractors of Bloom Hearing Ltd may be involved including name, address, contact details (including email addresses and phone numbers), date of birth, gender, financial information (including bank account details, credit / debit card details and payroll information), superannuation information (including account details), social services information (including WINZ or MSD numbers, and types of payments such as parental leave), tax information (including IRD numbers, tax codes and payment summaries), health information, government related identifiers (such as NHI or ACC claim numbers), details of other contacts and their relationships to employees and contractors (including next of kin) and various other records (including HR files relating to recruitment, background checks, contracts and roles, onboarding, remuneration and benefits, leave, performance, disciplinary action, termination and offboarding).

Some personal information of other individuals (such as healthcare professionals, other contacts and vendors) may also be involved including names, contact details (including email addresses and phone numbers), addresses, physician numbers, relationships of other contacts to individuals and financial information of vendors (including bank account details).

Investigations are ongoing and, if we confirm that other kinds of personal information about individuals have been stolen by the threat actor, we will publish a further update on this webpage where required by law.

We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused.

Recommended steps affected individuals should take in response

• You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to them. The kinds of personal information affected may increase the likelihood of you also being targeted by identity-related crime (including identity theft and identity fraud), cyber scam activities and extortion attempts (where criminals contact you and threaten to publish your personal information unless you provide payment to them). That being so, we recommend that you:
• Be cautious about clicking on links in emails or text messages, no matter how legitimate they appear.
• Do not be pressured to respond, whether it is by email, text message or telephone.Instead, contact the organisation sending the message directly using contact details you know to be correct.
• Be cautious about providing any personal or credential information (e.g. usernames and account information) and never do so in response to an extortion attempt. Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Do not follow technology instructions from someone you do not know, including instructions to download apps or software, or give remote access to your computer or mobile device.
• Be cautious about providing any financial, tax, KiwiSaver or other superannuation account details or any payment (and never do so in response to an extortion attempt). Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Protect your accounts with multifactor authentication, including financial, work / business, KiwiSaver, superannuation, insurance, government, email, and social media accounts.
• Log yourself out of your accounts and change your passwords.
• Use unique and strong passwords (and try to avoid using a common or similar password for different accounts) and do not share your passwords.
• Contact government agencies, your phone and internet provider(s), utilities providers, KiwiSaver / superannuation and financial organisations to let them know you have been affected by this incident and request they place additional security on your account.
• Contact your employer to let them you have been affected by this incident and request that additional security be placed on your personal details (including contact details, address, banking and KiwiSaver / superannuation details).
• Install antivirus on your devices, and ensure it is kept updated. This will not prevent all phishing or other cybercrime, but will reduce the risks to you. You will still need to remain vigilant.
• Regularly review your account details and security settings for any online accounts. Check that your contact details are correct, and changes have not been made to any linked bank accounts or other services.
• Monitor your account statements, and obtain a copy of your credit report, to check for any suspicious activity. You should report any suspicious activity and, if you suspect fraud or want to take additional protective measures, you should consider also requesting a ban on your credit report.

To support you during this time, we have partnered with IDCare, New Zealand and Australia’s national identity and cyber support community service. Further information about risks and recommendations, including specific recommendations relating to some of the categories of personal information listed above, are included on a dedicated support page setup for individuals affected by this incident on the IDCare website at https://www.idcare.org/bloom-hearing-specialists-incident-response, and we recommend that you review this information carefully.

In addition to the dedicated support page referred to above, IDCARE’s expert Case Managers can assist with any concerns related to personal information risks. These services are provided at no cost to you. You can complete an online Get Help form at www.idcare.org or call 0800 121 068 (NZ), using the referral code BHSCUST24 (for patients) or BHSEEMP24 (for ex-employees / contractors).

Along with IDCARE, the Privacy Commissioners’ offices have good resources regarding what you can do to protect yourself and can also receive complaints (for New Zealand, see https://www.privacy.org.nz/), and we recommend you review this information carefully.

If you experience distress, we also recommend seeking mental health support from your doctor or other available support services, examples of which are included below. In an emergency, please call 111.

Other information and resources

Other information and resources are available, including from:

• Office of the Privacy Commissioner and/or the Office of the Australian Information Commissioner; and
• CERT NZ or call 0800 CERT NZ (0800 2378 69).

Any individual can report a cybercrime or incident to New Zealand Police by calling 111 in an emergency (or for non-emergency incidents or crimes, you can still report by phone using 105, online to 105 or in person) or to Cert NZ using the details above.

Mental health support is also available, including from:

• 1737, Need to Talk – Free call or text 1737 any time;
• Lifeline Aotearoa: 0800 543 354 or free text 4357; and
• National Depression Helpline: 0800 111 757 or free text 4202.

Please continue to stay alert and report any suspicious activity. Please also monitor our websites, and the dedicated support page on the IDCARE website, for any further updates. If you have specific concerns or wish to seek further guidance, please contact IDCARE via the means above. If IDCARE cannot assist you, or you have further concerns once you’ve contacted IDCARE, you can contact us directly on support@bloomhearing.co.nz.

For media enquiries please contact Brigid Glanville +61 407 210 976 / bglanville@gracosway.com.au, Joel Labi +61 450 582 360 / jlabi@gracosway.com.au or Tom Scambler +61 400 335 460 / tom.scambler@gracosway.com.au .

We regret to inform you that we have become aware of a security incident affecting our retail operations trading as “bloom hearing specialists”, our operations in Australia are also affected.

On 5 July 2024, we became aware of a ransomware attack which encrypted data on several of our systems and impacted a number of our applications. We have since verified that there was unauthorised access by the threat actor and that they have stolen data from our network. There is a risk that the threat actor may publish the stolen data or disclose it to unknown third parties.

As soon as we became aware of the incident, we took immediate steps to contain it and secure our systems, and our response team is working hard to investigate and identify what personal information has been affected.

We have notified the incident to the Office of the Australian Information Commissioner, the New Zealand Office of the Privacy Commissioner and law enforcement in both countries and will continue to liaise with those authorities as appropriate. We also posted public notices on the bloom website, and promoted it through our social media channels at the time.

Our current understanding is that a range of personal information of:

• prospective, current and former patients of “bloom hearing specialists” which may be involved including name, address, contact details (including email addresses and phone numbers), date of birth, gender, health information (including audiograms and other patient records). Additionally, other personal information potentially affected is your funding source or insurance information (and potentially relevant claim details), financial information (including bank account details), and government related identifiers (including potentially NHI numbers and MSD/WINZ client number) and/or driver’s licence details, and potentially details of other contacts (including powers of attorney and/or next of kin); and
  
• current and former employees and contractors of Bloom Hearing Ltd may be involved including name, address, contact details (including email addresses and phone numbers), date of birth, financial information (including bank account details and payroll information), superannuation information (including account details), social services information (including types of payments), tax information (including tax file numbers and payment summaries), health information, government related identifiers, details of other contacts and their relationships to employees and contractors (including next of kin) and various other records (including HR files).

Some personal information of other individuals (such as healthcare professionals, other contacts and vendors) may also be involved including names, contact details (including email addresses and phone numbers), addresses, physician numbers, relationships of other contacts to individuals and financial information of vendors (including bank account details).

Investigations are ongoing and, if we confirm that other kinds of personal information about individuals have been stolen by the threat actor, we will publish a further update on this webpage where required by law.

We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused.

Recommended steps affected individuals should take in response

• You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to them. The kinds of personal information affected may increase the likelihood of you also being targeted by identity-related crime (including identity theft and identity fraud), cyber scam activities and extortion attempts (where criminals contact you and threaten to publish your personal information unless you provide payment to them). That being so, we recommend that you:
• Be cautious about clicking on links in emails or text messages, no matter how legitimate they appear.
• Do not be pressured to respond, whether it is by email, text message or telephone.Instead, contact the organisation sending the message directly using contact details you know to be correct.
• Be cautious about providing any personal or credential information (e.g. usernames and account information) and never do so in response to an extortion attempt. Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Do not follow technology instructions from someone you do not know, including instructions to download apps or software, or give remote access to your computer or mobile device.
• Be cautious about providing any financial, tax, KiwiSaver or other superannuation account details or any payment (and never do so in response to an extortion attempt). Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Protect your accounts with multifactor authentication, including financial, work / business, KiwiSaver, superannuation, insurance, government, email, and social media accounts.
• Log yourself out of your accounts and change your passwords.
• Use unique and strong passwords (and try to avoid using a common or similar password for different accounts) and do not share your passwords.
• Contact government agencies, your phone and internet provider(s), utilities providers, KiwiSaver / superannuation and financial organisations to let them know you have been affected by this incident and request they place additional security on your account.
• Contact your employer to let them you have been affected by this incident and request that additional security be placed on your personal details (including contact details, address, banking and KiwiSaver / superannuation details).
• Install antivirus on your devices, and ensure it is kept updated. This will not prevent all phishing or other cybercrime, but will reduce the risks to you. You will still need to remain vigilant.
• Regularly review your account details and security settings for any online accounts. Check that your contact details are correct, and changes have not been made to any linked bank accounts or other services.
• Monitor your account statements, and obtain a copy of your credit report, to check for any suspicious activity. You should report any suspicious activity and, if you suspect fraud or want to take additional protective measures, you should consider also requesting a ban on your credit report.

To support you during this time, we have partnered with IDCare, New Zealand and Australia’s national identity and cyber support community service. Further information about risks and recommendations, including specific recommendations relating to some of the categories of personal information listed above, are included on a dedicated support page setup for individuals affected by this incident on the IDCare website at https://www.idcare.org/bloom-hearing-specialists-incident-response, and we recommend that you review this information carefully.

In addition to the dedicated support page referred to above, IDCARE’s expert Case Managers can assist with any concerns related to personal information risks. These services are provided at no cost to you. You can complete an online Get Help form at www.idcare.org or call 0800 121 068 (NZ), using the referral code BHSCUST24.

Along with IDCARE, the Privacy Commissioners’ offices have good resources regarding what you can do to protect yourself and can also receive complaints (for New Zealand, see https://www.privacy.org.nz/), and we recommend you review this information carefully.

If you experience distress, we also recommend seeking mental health support from your doctor or other available support services, examples of which are included below. In an emergency, please call 111.

Other information and resources

Other information and resources are available, including from:

• Office of the Privacy Commissioner and/or the Office of the Australian Information Commissioner; and
• CERT NZ or call 0800 CERT NZ (0800 2378 69).

Any individual can report a cybercrime or incident to New Zealand Police by calling 111 in an emergency (or for non-emergency incidents or crimes, you can still report by phone using 105, online to 105 or in person) or to Cert NZ using the details above.

Mental health support is also available, including from:

• 1737, Need to Talk – Free call or text 1737 any time;
• Lifeline Aotearoa: 0800 543 354 or free text 4357; and
• National Depression Helpline: 0800 111 757 or free text 4202.

Please continue to stay alert and report any suspicious activity. Please also monitor our websites, and the dedicated support page on the IDCARE website, for any further updates. If you have specific concerns or wish to seek further guidance, please contact IDCARE via the means above. If IDCARE cannot assist you, or you have further concerns once you’ve contacted IDCARE, you can contact us directly on support@bloomhearing.co.nz.

For media enquiries please contact Brigid Glanville +61 407 210 976 / bglanville@gracosway.com.au or Joel Labi +61 450 582 360 / jlabi@gracosway.com.au.

Published: 21 July 2024

Further Important Security Update - 21 July 2024

We regret to inform you that we have become aware of a security incident affecting our retail operations trading as “bloom hearing specialists”, our operations in Australia are also affected.

On 5 July 2024, we became aware of a ransomware attack which encrypted data on several systems and impacted a number of our applications. The threat actor also claimed to have stolen data from our network, although so far this has not been verified. As at the date of this notice, however, we do know there was unauthorized access by the threat actor. As soon as we became aware of the incident, we took immediate steps to contain the incident and secure our systems, and our response team is working hard to investigate and identify what personal information has been affected by this incident.

We have notified the incident to the New Zealand Office of the Privacy Commissioner and the Office of the Australian Information Commissioner, and law enforcement in both countries and will continue to liaise with those authorities.

Our current understanding is that a range of personal information of:

• current and former patients of “bloom hearing specialists” may be involved, including name, address information, contact information (including phone numbers), date of birth, gender, insurance information, health information, financial information and government related identifiers; and
• employees and contractors may also be involved (if you are a former employee or contractor of any of Bloom Hearing, please click here).

Some personal information of other individuals (such as healthcare professionals, other contacts/powers of attorney of patients, vendors and next of kin of employees/contractors) may also be involved including names, contact information, address information, relationships to patients or employees/contractors, physician numbers and financial information of vendors.

At this stage, we believe the incident was restricted to our retail operation’s systems and did not impact our wholesale networks.

Investigations are ongoing and we are still assessing the categories of information that may be impacted. We will publish further updates on the categories of information affected and any risks we identify as we find out more.

We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused.

If we confirm that any individual’s personal information has been exfiltrated by the threat actor, we will write to those individuals to confirm this and recommend steps those individuals can take to protect themselves, where required by law and provided we have a means of practicably doing so.

In the interim, we urge all our patients and others potentially affected by this incident to be vigilant regarding all online and phone communications and transactions. Please consider updating your passwords and activate multi-factor authentication wherever possible, and maintain good online safety practices, including avoiding opening messages or clicking on links from unknown senders.

To support patients and others potentially affected by this incident during this time, we have also partnered with IDCare, Australasia’s national identity and cyber support community service. Their expert Case Managers can assist with any concerns related to personal information risks. These services are provided at no cost to you. You can complete an online Get Help form at www.idcare.org or call 0800 121 068 (NZ).  A unique referral code will be provided to you if you are impacted by this incident. Along with IDCare, the Privacy Commissioners’ offices have good resources regarding what you can do to protect yourself and also receive complaints (for New Zealand, see https://www.privacy.org.nz/).

Please continue to stay alert and report any suspicious activity. If you believe that you may be impacted by the incident, please monitor our website for further updates. Alternatively, you may contact us in relation to the incident by emailing support@bloomhearing.com.au.

Published: 9 July 2024

We regret to inform you that we have become aware of a security incident affecting Bloom Hearing Ltd.

On 5 July 2024, we detected a security incident after we were contacted by a third-party claiming to have stolen data from our network which has impacted several applications.

We took immediate steps to contain the incident and are working around the clock to investigate and understand what kinds of information have been affected by this incident and the likely impact on any affected individuals.

Our current understanding is there is a likelihood a range of personal information of:

• patients may be involved, including name, address information, contact information, date of birth, gender, insurance information, health information, financial information and government related identifiers.
  
  
• employees and contractors may also be involved, including name, address information, contact information, date of birth, financial information, superannuation information, social services information, tax information and government related identifiers.

Some personal information of other individuals (such as healthcare professionals, other contacts/powers of attorney of patients, vendors and next of kin of employees) may also be involved.

We will provide further updates as soon as practicable, and all information provided is subject to further confirmation following the completion of forensic investigations.

The privacy of patients, staff and others is of great importance to us, and we sincerely apologise for any distress this incident has caused. We urge our patients, staff and others potentially affected by this incident to be vigilant regarding all online communications and transactions, including phishing via email, SMS or phone, not opening texts from unknown numbers, and to consider updating your passwords to use strong passwords and activate multi-factor authentications.

We will identify any other recommended steps that individuals might take to reduce the risk that they experience serious harm as a result of this incident once we have confirmed what kinds of information have been affected by this incident and the likely impact of this incident on any affected individuals.

We have notified the Office of the Privacy Commissioner, and if you are affected by this security incident you have the right to complain to the Privacy Commissioner.

If you believe that you may be impacted by the incident, please monitor our website for further updates. Alternatively, you may contact us in relation to the incident by emailing support@bloomhearing.com.au.