[BreachExchange] US Fertility Sued Over Ransomware Attack, Health Data Exfiltration

[Destry Winant]

https://healthitsecurity.com/news/us-fertility-sued-over-ransomware-attack-health-data-exfiltration

February 03, 2021 - US Fertility (USF) has been sued by the
individuals impacted by its September ransomware attack, after the
threat actors gained access to the third-party vendor’s network for a
month and exfiltrated a trove of health data, medical records, and
other sensitive data.

USF provides support services for a range of US fertility clinics and
operates 50 fertility clinics across the country. In late November,
the vendor reported it had fallen victim to a ransomware attack and
that a range of patient data from a number of clinics was likely
compromised ahead of the malware payload.

The ransomware portion of the attack was discovered on September 14,
which encrypted a number of computers on the network.

However, the investigation revealed the hackers stole patient data
prior to deploying the encryption malware nearly a month earlier,
between August 12 and September 14.

The stolen and accessed data varied by patient and included names,
contact details, dates of birth, MPI numbers, medical record
information, health insurance data, financial account details,
passport numbers, diagnoses, treatments, and Social Security numbers,
among other data.

Filed in the US District Court for Maryland’s Southern Division, the
lawsuit calls the breach “particularly egregious.” The breach victims
are suing USF for negligence, breach of implied contract, unjust
enrichment, and violation of the Nevada Deceptive Trade Practices Act.

The lawsuit purports that the victims have also suffered irreparable
harm and are now at an increased risk for identity theft. The
individuals are now forced to undertake additional security measures
to minimize the risk of identity theft and “emotional devastation.”

“USF’s carelessness and inadequate data security caused patients of
fertility clinics utilizing its services to lose all sense of
privacy,” the lawsuit argues. “The data breach was the result of USF’s
inadequate and laxed approach to the data security and protection of
its customers’ PII that it collected during business.”

“[The individuals’] rights were disregarded by USF’s reckless and/or
negligent failure to take adequate and reasonable measures to ensure
its data systems were protected, failure to disclose the material fact
that it did not have adequate computer systems and security practices
to safeguard PII, [and] failure to take available steps to prevent the
data breach, “ it adds.

The lawsuit also argues the USF’s security policies lacked appropriate
monitor abilities to detect the breach in a timely fashion.

As such, the patients are at a heightened risk of data theft,
unauthorized financial charges, costs associated with detection and
prevent of identity theft from the stolen information, and damages
stemming from the inability to use credit or debit cards suspended as
a result of fraudulent charges, among other potential harms.

The lawsuit also contains a number of issues patients have experienced
as a direct result of the data incident, including reduced credit
scores and fraudulent unemployment attempts.

The breach victims are asking the lawsuit to be certified as class
action, as well as restitution for the costs incurred as a direct
result of the data breach.

The lawsuit is also seeking a requirement for USF to implement proper
data security policies and practices, including encryption measures
for all data collected, requiring the deletion or destruction of
lawsuit members’ personally identifiable information, and mandating
the implementation of a comprehensive information security program.

The victims also want USF to be required to engage with an outside
security auditor or penetration tester, as well as internal security
personnel to conduct pen testing, simulate attacks,  anaudit of all
USF systems to identify and correct potential security
vulnerabilities.

The third-party auditor would also be tasked with running automated
security monitoring and implementing proper segmentation, access
controls, database scanning, and firewalls, as well as training and
testing all workforce members.

“The injuries [individuals] suffered were directly and proximately
caused by USF’s failure to implement or maintain adequate data
security measures for PII,” according to the lawsuit. “[individuals]
retain a significant interest in ensuring that their PII, which
remains in USF’s possession, is protected from further breaches, and
seek to remedy the harms suffered as a result of the Data Breach for
themselves and on behalf of similarly situated consumers whose PII was
stolen.”

Health data breach lawsuits have become increasingly common in light
of the current threat landscape but to mixed results—and most are
settled out of court.

Most recently, a Delaware judge tossed a lawsuit against Brandywine
Urology Consultants a year after it was filed, as the victims did not
provide evidence of actual harm. The case may prove an example for
future data breach lawsuits and the need for victims to demonstrate
actual harm.