Just received this and felt really angry that so much information is being collected for a hearing test and the type of people who will be affected by this, mostly older I would imagine. 

Dear Madam/Sir,

Notification of data breach affecting “bloom hearing specialists”

We regret to inform you that we have become aware of a security incident affecting Bloom Hearing Ltd.
 
On 5 July 2024, we became aware of a ransomware attack which encrypted data on several of our systems and impacted a number of our applications. We have since verified that there was unauthorised access by the threat actor and that they have stolen data from our network. There is a risk that the threat actor may publish the stolen data or disclose it to unknown third parties. 

As soon as we became aware of the incident, we took immediate steps to contain it and secure our systems, and our response team is working hard to investigate and identify what personal information has been affected by this incident.

We have notified the incident to the New Zealand Office of the Privacy Commissioner, the Office of the Australian Information Commissioner and law enforcement in both countries and will continue to liaise with those authorities as appropriate.

Types of personal information affected

We understand your name, address, contact details (including your email address and/or phone number), date of birth, gender and health information (including audiograms and other patient records) are included in the data which has been stolen by the threat actor.

You should also be aware that additional types of personal information and data may have been taken by the threat actor including: your funding source or insurance information (and potentially relevant claim details), financial information (including bank account details), and government related identifiers (including potentially NHI numbers and MSD/WINZ client number) and/or driver’s licence details, and potentially details of other contacts (including powers of attorney and/or next of kin). Please do bring this notification to their attention as well.

Due to the volume and complexity of the data sets stolen, it is not practicable for us to confirm if, or the extent to which, any of the additional types of data / personal information stolen by the threat actor relate to you.

Investigations are ongoing and, if we confirm that other types of personal information have been stolen by the threat actor, we will provide you with a further update where required by law.

We know this is a concerning development but rest assured your privacy and security are of utmost importance to us. We sincerely apologise for any distress this incident may have caused.

Recommended steps you should take in response

You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you. The types of personal information affected may increase the likelihood of you being targeted by identity-related crime (including identity theft and identity fraud), cyber scam activities and extortion attempts (where criminals contact you and threaten to publish your personal information unless you provide payment to them). That being so, we recommend that you:

• Be cautious about clicking on links in emails or text messages, no matter how legitimate they appear. 
• Do not be pressured to respond, whether it is by email, text message or telephone. Instead, contact the organisation sending the message directly using contact details you know to be correct.
• Be cautious about providing any personal or credential information (e.g. usernames and account information) and never do so in response to an extortion attempt. Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Do not follow technology instructions from someone you do not know, including instructions to download apps or software, or give remote access to your computer or mobile device. 
• Be cautious about providing any financial, tax, KiwiSaver or other superannuation account details or any payment (and never do so in response to an extortion attempt). Any extortion attempts may be reported to New Zealand Police or Cert NZ using the details below.
• Protect your accounts with multifactor authentication, including financial, work / business, KiwiSaver, superannuation, insurance, government, email, and social media accounts.
• Log yourself out of your accounts and change your passwords.
• Use unique and strong passwords (and try to avoid using a common or similar password for different accounts) and do not share your passwords.
• Contact government agencies, your phone and internet provider(s), utilities providers, KiwiSaver / superannuation and financial organisations to let them know you have been affected by this incident and request they place additional security on your account.
• Contact your employer to let them you have been affected by this incident and request that additional security be placed on your personal details (including contact details, address, banking and KiwiSaver / superannuation details).
• Install antivirus on your devices, and ensure it is kept updated.  This will not prevent all phishing or other cybercrime, but will reduce the risks to you. You will still need to remain vigilant.
• Regularly review your account details and security settings for any online accounts. Check that your contact details are correct, and changes have not been made to any linked bank accounts or other services.
• Monitor your account statements, and obtain a copy of your credit report, to check for any suspicious activity. You should report any suspicious activity and, if you suspect fraud or want to take additional protective measures, you should consider also requesting a ban on your credit report.

To support you during this time, we have also partnered with IDCARE, New Zealand and Australia’s national identity and cyber support community service. Further information about risks and recommendations, including specific recommendations relating to some of the categories of personal information listed above, are included on a dedicated support page setup for individuals affected by this incident on the IDCARE website at https://www.idcare.org/bloom-hearing-specialists-incident-response. We recommend you review this information carefully.

In addition to the dedicated support page referred to above, IDCARE’s expert Case Managers can assist with any concerns related to personal information risks. These services are provided at no cost to you. You can complete an online Get Help form at www.idcare.org or call 0800 121 068(NZ), using the referral code BHSCUST24.

Along with IDCARE, the Privacy Commissioners’ offices have good resources regarding what you can do to protect yourself and can also receive complaints (for New Zealand, see https://www.privacy.org.nz/), and we recommend you review this information carefully.

If you experience distress, we also recommend seeking mental health support from your doctor or other available support services, examples of which are included below. In an emergency, please call 111.

Other information and resources

Other information and resources are available, including from:

• Office of the Privacy Commissioner and/or the Office of the Australian Information Commissioner; and
• CERT NZ or call 0800 CERT NZ (0800 2378 69).

Any individual can report a cybercrime or incident to New Zealand Police by calling 111 in an emergency (or for non-emergency incidents or crimes, you can still report by phone using 105, online to 105 or in person) or to Cert NZ using the details above. 

Mental health support is also available, including from:

• 1737, Need to Talk – Free call or text 1737 any time;
• Lifeline Aotearoa: 0800 543 354 or free text 4357; and
• National Depression Helpline: 0800 111 757 or free text 4202.

Please continue to stay alert and report any suspicious activity. Please also monitor our websites, and the dedicated support page on the IDCare website, for any further updates. If you have specific concerns or wish to seek further guidance, please contact IDCARE via the means above. If IDCARE cannot assist you, or you have further concerns once you’ve contacted IDCARE, you can contact us directly on support@bloomhearing.co.nz.