[BreachExchange] Fertility Clinic Hacking Incident Affected Nearly 80, 000

[Terrell Byrd]

https://www.govinfosecurity.com/fertility-clinic-hacking-incident-affected-nearly-80000-a-18269

A Chicago-based fertility center has reported that a hacking incident
detected in February 2021 has affected the protected health information of
nearly 80,000 individuals. The breach is among the latest security
incidents involving fertility healthcare providers and the compromise of
their patients' sensitive data.

Fertility Centers of Illinois in a breach notification statement says that
while the incident did not compromise its electronic medical records
system, an unauthorized third party gained access to a number of
administrative file and folders containing certain data.

FCI reported to the Department of Health and Human Services on Dec. 27 that
the hacking/IT incident involved a network server and affected 79,943
individuals.

Breach Details
In its breach notification statement, FCI says it became aware on Feb. 1,
2021 of "suspicious activity on its internal systems."

FCI engaged independent forensic investigators to conduct an investigation
of the activity, the statement says. On Aug. 27, 2021, FCI determined that
information related to certain FCI patients was included in the set of
files accessed by the unauthorized third party, the statement says.

The affected files contained an array of personal, medical and financial
information, according to the statement.

That includes patient names, employer-assigned identification numbers,
passport numbers, Social Security numbers, financial account information,
payment card information, treatment information, diagnosis,
treating/referring physicians, medical record number, medical
billing/claims information, and prescription/medication information.

Also contained in the compromised files were Medicare/Medicaid
identification information, health insurance group numbers, health
insurance subscriber numbers, patient account numbers, encounter numbers,
retirement information, master patient index, information related to
occupational health, other medical benefits and entitlements information,
other medical identification numbers, reason for absence, sickness
certificate, usernames and passwords with PINs or account login
information, and medical facilities associated with patient information.

Upon learning of this incident, FCI says it immediately took steps to
eliminate unauthorized access and brought in independent forensic experts
to investigate and remediate the matter.

"Additional security measures have been taken since the incident to further
secure access to data, individual accounts, and equipment, including the
implementation of enterprise identity verification software," FCI says.
Also, all FCI employees have received enhanced training on security
practices, according to the statement.

FCI is offering affected individuals 12 months of complementary credit
monitoring and identity theft protection services, it says, and adds that
the clinic is not aware of any actual or attempted misuse of patient
information as a result of the incident.

Other Incidents
The FCI breach is among the latest major data security incidents in recent
months involving entities related to fertility treatment.

Planned Parenthood Los Angeles in December began notifying about 411,000
individuals of an apparent ransomware attack in October that involved
exfiltration of files containing sensitive health information, including
patients' diagnoses and medical procedures.

Planned Parenthood Los Angeles and its parent entity are now facing at
least one proposed class action lawsuit filed in a California federal court
in the wake of that incident.

And medical laboratory company Quest Diagnostics revealed in October that
an August ransomware attack on its ReproSource Fertility Diagnostics
fertility-testing subsidiary led to the potential compromise of 350,000
patients' personal information.

ReproSource so far faces at least one proposed class action lawsuit in the
wake of the incident. That lawsuit - alleging negligence and a number of
other counts - was filed in a Massachusetts federal court in November by a
patient on behalf of others also affected by the incident.

Last June, Reproductive Biology Associates, an Atlanta-based clinic
operator, and its affiliate, MyEggBank North America, reported that their
systems had been hit by a ransomware attack in April.

The HHS OCR HIPAA Breach Reporting Tool listing health data breaches
affecting 500 or more individuals shows that Reproductive Biology
Associates reported the incident as a HIPAA breach affecting 38,000.

In November 2020, Maryland-based US Fertility, a business associate that
provides IT and other support services to a network of fertility practices
operating in several states, reported to HHS' Office for Civil Rights a
September 2020 ransomware incident that affected nearly 879,000 individuals.

FCI notes on its website that it is a member of the US Fertility network.

FCI did not immediately respond to Information Security Media Group's
request for additional information about its hacking incident.

Prime Target
Healthcare organizations of all types have long been a prime target for
cybercriminals, some experts note. "This is likely due to the amount of
sensitive personally identifiable information organizations collect and
store, as well as a traditionally large number of connected devices
integrated into respective networks," says Joseph Carson, chief security
scientist and advisory CISO at security vendor ThycoticCentrify.

"The result is a massive, more easily exploitable threat vector. At the
same time, disruption to any mission-critical processes can have life or
death implications for patients, which makes healthcare organizations more
inclined to pay out a ransom, if targeted," he says.

Because medical information is extremely sensitive and valuable for
cybercriminals, healthcare institutions that hold PHI must use best
security practices, including strong encryption, privileged access security
and multifactor authentication, according to Carson.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220110/76bee940/attachment.html>