One of the largest networks of fertility clinics in the USA has confirmed that it was targeted by a ransomware attack, resulting in a security breach of patient information.
The fertility clinic network in question, US Fertility, wrote a statement and specified that the hackers 'acquired a limited number of files' during a 'period of unauthorised access' that ran between 12 August 2020 to 14 September 2020. Data-stealing ransomware typically harvests data from the source system before encrypting the victim's network for ransom. Some ransomware groups then publish the stolen files on their websites if their ransom demand isn't paid.
'We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals,' Mark Segal, the chief executive officer of US Fertility, said about the breach.
Along with apologising for the incident and re-stating its commitment to safeguarding the privacy and security of patient information, US Fertility revealed that their patients' personal information, such as names and addresses, dates of birth and in some cases even social security numbers, were part of the data breach. The company further stated that there was 'no evidence of actual misuse of any individual's information' related to the attack. However, the company also warned that the attack may have involved protected health information, which would include information about a patient's health or medical treatments, such as test results and medical records.
While US Fertility acknowledged conducting an internal review to confirm the extent of the data breach, they did not explain why the company took over two months to publicly disclose the attack. However, its statement included that this disclosure had not been delayed on request of law enforcement.
This attack is part of a larger pattern in the US healthcare sector, where several other fertility clinics have been attacked by ransomware in recent months. For example, the Colorado Center for Reproductive Medicine, based in Denver with locations across the USA, suffered a data security breach that affected its Minneapolis clinic in Edina in 2017.