Fertility Clinic Hacking Incident Affected Nearly 80,000Practice Says Patient PHI, PII Compromised, But Not EMR System
A Chicago-based fertility center has reported that a hacking incident detected in February 2021 has affected the protected health information of nearly 80,000 individuals. The breach is among the latest security incidents involving fertility healthcare providers and the compromise of their patients' sensitive data.
Fertility Centers of Illinois in a breach notification statement says that while the incident did not compromise its electronic medical records system, an unauthorized third party gained access to a number of administrative file and folders containing certain data.
FCI reported to the Department of Health and Human Services on Dec. 27 that the hacking/IT incident involved a network server and affected 79,943 individuals.
In its breach notification statement, FCI says it became aware on Feb. 1, 2021 of "suspicious activity on its internal systems."
FCI engaged independent forensic investigators to conduct an investigation of the activity, the statement says. On Aug. 27, 2021, FCI determined that information related to certain FCI patients was included in the set of files accessed by the unauthorized third party, the statement says.
The affected files contained an array of personal, medical and financial information, according to the statement.
That includes patient names, employer-assigned identification numbers, passport numbers, Social Security numbers, financial account information, payment card information, treatment information, diagnosis, treating/referring physicians, medical record number, medical billing/claims information, and prescription/medication information.
Also contained in the compromised files were Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, retirement information, master patient index, information related to occupational health, other medical benefits and entitlements information, other medical identification numbers, reason for absence, sickness certificate, usernames and passwords with PINs or account login information, and medical facilities associated with patient information.
Upon learning of this incident, FCI says it immediately took steps to eliminate unauthorized access and brought in independent forensic experts to investigate and remediate the matter.
"Additional security measures have been taken since the incident to further secure access to data, individual accounts, and equipment, including the implementation of enterprise identity verification software," FCI says. Also, all FCI employees have received enhanced training on security practices, according to the statement.
FCI is offering affected individuals 12 months of complementary credit monitoring and identity theft protection services, it says, and adds that the clinic is not aware of any actual or attempted misuse of patient information as a result of the incident.
The FCI breach is among the latest major data security incidents in recent months involving entities related to fertility treatment.
Planned Parenthood Los Angeles in December began notifying about 411,000 individuals of an apparent ransomware attack in October that involved exfiltration of files containing sensitive health information, including patients' diagnoses and medical procedures.
Planned Parenthood Los Angeles and its parent entity are now facing at least one proposed class action lawsuit filed in a California federal court in the wake of that incident.
And medical laboratory company Quest Diagnostics revealed in October that an August ransomware attack on its ReproSource Fertility Diagnostics fertility-testing subsidiary led to the potential compromise of 350,000 patients' personal information.
ReproSource so far faces at least one proposed class action lawsuit in the wake of the incident. That lawsuit - alleging negligence and a number of other counts - was filed in a Massachusetts federal court in November by a patient on behalf of others also affected by the incident.
Last June, Reproductive Biology Associates, an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, reported that their systems had been hit by a ransomware attack in April.
The HHS OCR HIPAA Breach Reporting Tool listing health data breaches affecting 500 or more individuals shows that Reproductive Biology Associates reported the incident as a HIPAA breach affecting 38,000.
In November 2020, Maryland-based US Fertility, a business associate that provides IT and other support services to a network of fertility practices operating in several states, reported to HHS' Office for Civil Rights a September 2020 ransomware incident that affected nearly 879,000 individuals.
FCI notes on its website that it is a member of the US Fertility network.
FCI did not immediately respond to Information Security Media Group's request for additional information about its hacking incident.
Healthcare organizations of all types have long been a prime target for cybercriminals, some experts note. "This is likely due to the amount of sensitive personally identifiable information organizations collect and store, as well as a traditionally large number of connected devices integrated into respective networks," says Joseph Carson, chief security scientist and advisory CISO at security vendor ThycoticCentrify.
"The result is a massive, more easily exploitable threat vector. At the same time, disruption to any mission-critical processes can have life or death implications for patients, which makes healthcare organizations more inclined to pay out a ransom, if targeted," he says.
Because medical information is extremely sensitive and valuable for cybercriminals, healthcare institutions that hold PHI must use best security practices, including strong encryption, privileged access security and multifactor authentication, according to Carson.