Some of the most sensitive and private information a person has relates to reproductive health.
A ransomware attack on Reproductive Biology Associates (RBA) and its affiliate My Egg Bank caused the protected health information (PHI) of at least 38,538 patients to be exposed. RBA in Atlanta, Georgia was one of the first organizations in the U.S. to offer in vitro fertilization (IVF) and is the founding partner of the nationwide fertility clinic network My Egg Bank.
The exposed PHI includes:
- full names
- Social Security numbers
- lab results, and
- information related to the handling of human tissue
Reproductive Biology Associates said it became aware of a cybersecurity incident on April 16th when it discovered that a file server containing embryology data had been encrypted. They started an investigation and found that the hacker had gained access to their system on April 7th and entered the server with patient data on April 10th. By June 7th the investigation had determined the identities of 38,000+ individuals whose data was exposed.
“In the course of our ongoing investigation of the incident, on June 7, 2021 we determined the individuals whose personal information was affected. Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.”
The breach notice continues:
“In an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure.”
False Hope to Believe Ransomware Attackers
Criminals are not trustworthy. The FBI has warned that paying a ransom is not a guarantee that the data will not be sold on the dark web. Although RBA has not disclosed whether it paid a ransom, the likelihood is that they did in order to regain access to the encrypted files.
Underscoring the FBI’s warning, a report last year by Coveware, a cybersecurity firm, shows that ransomware attackers are likely to break their promise not to leak stolen data once a target has paid them.
Coveware urges ransomware victims to think carefully about their strategy and long-term liabilities when formulating a response.
“This includes getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel… Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim.” (italics added for emphasis)
Guidance from the Cybersecurity and Infrastructure Security Agency (CISA) on how to prevent and manage ransomware can be found here. This dovetails with FBI guidance mentioned above.
Prevent Ransomware with Risk Management
Healthcare continues to be a target of cyber criminals – the best defense against cybersecurity threats of all kinds, including ransomware, is thorough HIPAA Risk Analysis – Risk Management. All the tips and prevention advice offered by the FBI and CISA are contained in the HIPAA Risk Analysis.
If you need help, The HIPAA E-Tool® has answers.