A company that operates multiple fertility centers across Northern Illinois has suffered a data breach because of a cyber-attack.
Fertility Centers of Illinois (FCI) reported the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR), affecting 79,943 current and former patients.
The unidentified attacker had access to some of the patients’ protected health information (PHI) and could access personal data belonging to FCI employees.
FCI hired third-party computer forensic specialists after the company detected suspicious network activity on February 1 2021.
While cybersecurity measures implemented by FCI ensured that the company’s electronic medical record system could not be accessed, the attacker was able to get into administrative files and folders.
FCI reviewed the contents of the compromised files. By August 27 2021, it determined that they contained a range of patient data, including names in combination with one or more of the following types of information: Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs, or account login information.
Employee information potentially compromised in the cyber-attack included names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence and sickness certificates.
Since the attack occurred, FCI has improved its cybersecurity posture, including implementing enterprise-class identity verification software and providing extra training to its workforce on cybersecurity practices.
Data breach notifications have been mailed out to all affected individuals. FCI offers victims complimentary credit monitoring and identity theft protection services for 12 months through Equifax.
News of the FCI attack follows the theft of data from America’s largest fertility clinic operator, US Fertility, in September 2020. In November 2021, a fertility clinic in the United Kingdom also became the victim of cyber-criminals when ransomware was used to attack a medical record scanning company used by Lister Fertility Clinic.