Georgia fertility clinic breach exposes sensitive patient info

A fertility clinic based in Georgia has admitted hackers stole data holding sensitive patient information during a ransomware attack.

In a statement to patients, Reproductive Biology Associates, LLC, (RBA) said the breach affected about 38,000 patients. The clinic said it became aware of a potential data incident in mid-April when it discovered a file server holding embryology data was encrypted and inaccessible.

“We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day,” the statement read.

Further investigations found that hackers accessed its systems on April 7 and then a server containing protected health information on April 10. On June 7, the organization determined whose personal information was affected.

While the organization did not say if it paid a ransom, it said in the notification that it was communicating with the hackers, it managed to regain access to files. and confirmed with whoever accessed its systems that all exposed data was deleted and is no longer in its possession.

During the investigation, the organization determined the data stolen in the ransomware attack included patients’ full names, addresses, Social Security numbers, laboratory results, and information relating to the handling of human tissue.

The RBA has engaged with a professional IT services firm to conduct interviews and analyze forensic data related to the incident. It is also offering affected individuals free identity monitoring services.

Jamie Akhtar, CEO and co-founder of CyberSmart, told ITPro there is a growing trend with ransomware attacks to not solely encrypt data but also steal it and threaten to release it if the victim doesn’t pay the ransom. This double-extortion attack places further pressure on the victim to pay up.

“In this case, it seems RBA has paid the ransom and received confirmation from the cybercriminals that all exposed data has been deleted. However, we cannot take their word for it. RBA has done well to set up monitoring measures to detect any misuse of exposed data, but customers should also remain vigilant, particularly to spear-phishing attacks which can open a new, fresh pipeline of cybercrime for the involved parties,” he said.

Javvad Malik, a security awareness advocate at KnowBe4, told ITPro it's essential that all organizations take the threat of cyber attacks seriously and put in place layers of security to help protect, detect, and respond to any threats in a timely manner. These should be a mix of technical, procedural, and human controls to maximize the chances of preventing an incident.

“Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations,” Malik said.

“Once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation of what the criminals can do with the stolen data. This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims."