Tens of thousands of patients at a US fertility clinic have had sensitive personal and medical information stolen in a ransomware attack.
Reproductive Biology Associates (RBA) was the first organization of its kind to offer IVF in the US state of Georgia and is the founding partner of the nationwide fertility clinic network My Egg Bank.
In a new breach notification, RBA claimed to have first become aware of a cyber-incident on April 16 this year, when it discovered that a file server containing embryology data had been encrypted.
"We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day. Based on our investigation, we believe the actor first gained access to our system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021,” it continued.
“In the course of our ongoing investigation of the incident, on June 7, 2021 we determined the individuals whose personal information was affected. Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.”
It said that 38,000 patients were exposed in the incident, with full names, addresses, Social Security numbers, lab results and “information related to the handling of human tissue” potentially impacted.
RBA said it also conducted web searches to check if any of the stolen information was being discussed or traded online and so far had no indication of such activity.
However, history tells us that ransomware threat actors often don’t keep their word regarding stolen data.
A report from November 2020 claimed that some affiliates are starting to publish data even after ransom payments and/or demanding a second payment be paid to prevent publication.
“Paying a threat actor not to leak stolen data provides almost no benefit to the victim,” warned report author Coveware.