A fertility clinic based in New York City is notifying patients that their personal data may have been compromised and possibly stolen during a recent cyber-attack.
Extend Fertility, specializing in IVF and freezing eggs and embryos, was hit with ransomware in December 2021. The clinic hired third-party digital forensic specialists to determine the incident's nature and scope.
"On December 20 2021, we discovered a ransomware incident that impacted our networks and servers which contained protected health and personal information of some of our patients," said Extend Fertility in a data breach notice.
"After discovering the incident, we quickly took steps to secure and safely restore our systems and operations."
A month-long investigation into the attack found that cyber-criminals had access to servers on which the protected health information (PHI) and personal data of some of the clinic's patients was stored.
"The investigation determined that on or about December 15, 2021, an unauthorized individual accessed our systems and likely obtained some information," said Extend Fertility.
"We have undertaken an extensive analysis of our files to determine what information was involved and to identify individuals whose data was potentially impacted."
Information potentially compromised in the security incident includes first and last name, gender, home address, phone number, email address, and date of birth, medical history, diagnosis and treatment information, dates of service, lab test results, prescription information, provider name, medical account number and financial information.
The full extent of the attack has not yet been engaged as the data analysis is ongoing. However, the clinic has begun informing individuals whose data may have been viewed and/or obtained.
The clinic did not state how many patients were impacted by the incident. Placing the cyber-attack in a broader context, Extend Fertility described itself as "one of the many healthcare providers confronting the impacts of the evolving cyber threat landscape."
The clinic is offering complimentary credit monitoring and identity protection services to individuals impacted or involved in the incident. Extend Fertility said that it had not discovered any evidence to suggest that any patient information impacted by the attack has been used for identity theft or financial fraud.