A well-established fertility clinic based in the Southern US state of Georgia has confirmed that it was hit by a targeted ransomware attack resulting in a data breach back in spring. During the cyberattack, data files that contained sensitive information on patients were compromised.

The clinic known as Reproductive Biology Associates, LLC (RBA), specialises in recruiting egg donors, as well as retrieving eggs, before storing them safely for later use by future recipients, like individuals using the US service known as MyEggBank.

MyEggBank works closely with numerous fertility centres across the United States like RBA, in order to recruit valuable donors and build an egg bank that potential recipients can use to search for a suitable donor according to their specific criteria.

Embryology records accessed by ransomware operators

In a recent data leak notification made by RBA and MyEggBank, the Georgia fertility clinic stated that it first discovered it had been struck by a ransomware attack back on April 16, after a file server that contained embryological data was encrypted and rendered inaccessible by clinicians.

However, RBA believes the attackers may have first obtained system access as early as April 7 and penetrated a server that contained patient health data on April 10.

The typical methods of ransomware gang attacks see threat actors initially breach a specific vulnerability on a network. They will then spend a period of three to seven days discreetly extending their reach throughout the entire network, while simultaneously deleting backed up files and stealing private data records they deem valuable.

Although the RBA statement does not explicitly admit that a ransom has been paid, the notification suggests that this occurred to obtain a decryption key to prevent stolen data from being released.

The notification added:

“In the course of our ongoing investigation of the incident, on June 7, 2021, we determined the individuals whose personal information was affected. Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.”

Assessing the damage of a data breach

RBA’s investigation determined that files stolen in the ransomware attack contained personally identifiable information (PII) on around 38,000 patients, including their full names, social security numbers, addresses and laboratory results.

As part of its continuing investigation, the clinic has also hired a professional IT services company to uncover how the attack was carried out, determine which data was accessed and obtained, and secure its network and all connected devices.

Additionally, RBA is offering all impacted patients free-of-charge monitoring services for identity theft and is also advising them to monitor their monthly credit reports for any sign of fraud. This is a wise practice as while ransomware groups often make promises to delete stolen data records when companies decide to pay up, this is merely an agreement with parties know to employ unscrupulous practices, so there is never any guarantee that the cybercriminals have kept to their part of the deal.