US Fertility, the largest physician-owned and physician-led fertility organization in the U.S, fell victim to a ransomware attack involving the breach of sensitive patient data.
In it’s statement, US Fertility said that the attack was identified by staff on September 14 when internal systems became inaccessible as a result of a malware infection. Further investigation revealed the encryption of data in several internal servers connected to the company domain.
Like all ransomware attacks, the cyber attackers offer to reverse the data encryption if a ransom payment is made. On September 20, US Fertility managed to remediate the threat and regain control of its ecosystem.
US Fertility has not provided a reason for the two month breach announcement delay.
Forensic reports concluded that unauthorized access occurred between August 12, 2020 and September 14, 2020 and that during this period, sensitive patient data was breached.
The breached data included the following:
- Dates of birth
- MPI numbers
- Social security numbers
US Fertility says that there is no evidence of any malicious use of the breached data.
“...we have no evidence of the misuse of any individual's information as a result of this incident.” They said in their statement.
Because patient records need to be comprehensive, when medical data is breached, cyber criminals gain access to a treasure trove of Personal Identifiable Information. This places compromised patients at a very high risk of identity theft and fraud.