Embryology Data Breach Follows Fertility Clinic Ransomware Hit

Approximately 38,000 of RBA’s customers had their embryology data stolen by a ransomware gang.

A fertility clinic serving the Atlanta area has been hit with a ransomware attack that also exposed private health information for 38,000 of its patients.

Reproductive Biology Associates (RBA), along with its affiliate My Egg Bank North America, is a well-known pioneer in in-vitro fertilization (IVF). After launching in 1983 as Georgia’s first IVF program, it became first on the East Coast to achieve pregnancy from a frozen embryo, and the first in the Western Hemisphere to report a birth from frozen donor eggs. MyEggBank, meanwhile, is the largest network of donor egg banks and client practices in North America, according to its website.

RBA disclosed the breach on Friday. The company said that cyberattackers were able to infiltrate its network on April 7, before moving laterally to a server housing sensitive patient information three days later, on April 10. RBA discovered the attack on April 16.

“We discovered that a file server containing embryology data was encrypted and therefore inaccessible,” according to the notice. “We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day.”

The firm’s investigation uncovered that the attackers were able to make off with reams of personal information, including full names, addresses, Social Security numbers, laboratory results and “information relating to the handling of human tissue.”

That said, RBA also said that it “obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.” It also did a scan of the Dark Web to see if the data was circulating.

“We conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure,” according to the notice, which added, “We are continuing to conduct appropriate monitoring to detect and respond to any misuse or misappropriation of the potentially exposed data.”

By June 7, the clinic had identified affected customers and began notifications, it said.

It’s unclear which ransomware was involved in the attack, or whether RBA paid the ransom to recover control of its encrypted server and have the stolen data destroyed. It did not immediately return a request for comment.

“Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations,” said Javvad Malik, security awareness advocate at KnowBe4, via email. “Once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation of what the criminals can do with the stolen data. This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims.”

For its part, RBA made the expected statement of regret that the incident occurred and offered assurances that it takes the security of its information “very seriously.” It said it has also contracted a professional firm to conduct forensics, like deploying device tracking and monitoring to help contain and investigate the scope of the incident.

“We have also applied additional internal controls and have provided additional cybersecurity training to our staff to prevent this type of incident from occurring in the future,” according to the letter. “These controls include working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems, updating, patching and in some cases replacing infrastructure to the latest versions, deploying password resets to appropriate users, rebuilding impacted systems and deploying advanced antivirus and malware protection.”

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

 

Suggested articles