Data including Social Security numbers has been stolen from the largest fertility clinic operator in the United States in a cyber-attack.
US Fertility runs 55 clinics at various locations in 10 of America's 50 states. The company, established in May 2020, is the result of a partnership between private equity firm Amulet Capital Partners and Shady Grove Fertility.
Cyber-criminals attacked US Fertility's network with ransomware in September, impacting almost half of its locations. The company responded by taking a number of its servers and workstations offline, launching an investigation into the incident, and notifying federal law enforcement.
The company provided notice of the incident on November 25, stating: "On September 14, 2020, USF experienced an IT security event (the "Incident") that involved the inaccessibility of certain computer systems on our network as a result of a malware infection. We responded to the Incident immediately and retained third-party computer forensic specialists to assist in our investigation.
"Through our immediate investigation and response, we determined that data on a number of servers and workstations connected to our domain had been encrypted by ransomware."
Digital forensic specialists found that although the ransomware had been triggered on September 14, the attackers had first gained access to US Fertility's network a month earlier, on August 12.
During the weeks they spent inside the network, the attackers had access to files that contained patient data. Sensitive information accessed included names, addresses, dates of birth, MPI numbers, and Social Security numbers.
US Fertility confirmed that the attackers acquired "a limited number of files" during the period of unauthorized access.
"Please also note that we have no evidence of actual misuse of any individual's information as a result of the Incident," said the company.
Following the attack, US Fertility fortified the security of its firewall and engaged digital forensic specialists to monitor network activity and remediate any suspicious activity.
"We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals," said Mark Segal, chief executive officer of USF.