Sensitive personal and medical information of around 38,000 patients has been exposed in a ransomware attack on a US fertility clinic.
Reproductive Biology Associates (RBA) is a fertility treatment provider in Georgia and is also the founding partner of MyEggBank, the largest network of donor egg banks in North America.
A data breach notification was issued by both RBA and MyEggBank earlier this month. It revealed the clinic first became aware of a cyber-incident on 16 April this year, when it discovered that 'a file server containing embryology data was encrypted and therefore inaccessible.'
RBA said, 'We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor's access, within the same business day.'
However, they believe the attackers first gained access to their systems on 7 April and a server containing health information on 10 April. Ransomware 'threat actors' often breach a particular system on a network before spreading throughout the entire network to steal files and delete backups.
An investigation into the attack revealed that the information of 38,000 patients was exposed, with details including their full names, addresses, social security numbers, laboratory results, and 'information related to the handling of human tissue' potentially impacted and unlawfully disclosed.
RBA has since stated that, during their investigation into the attack, 'access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.' The clinic added that it has conducted web searches and has found no indication that any of the stolen information is being discussed or traded online.
While RBA does not explicitly state that they paid a ransom, the data breach notification indicates that they had done so to get a decryptor and prevent the release of stolen data.