A fertility clinic in Georgia has notified about 38,000 patients that their medical information and other data like social security numbers had been accessed by cybercriminals during a ransomware attack in April.
Matthew Maruca, general counsel for Reproductive Biology Associates and its affiliate My Egg Bank North America, wrote in a letter that a file server containing embryology data was encrypted on April 16 after attackers gained access to the company's systems starting on April 7.
The attackers stole names, addresses, SSNs, laboratory results and "information relating to the handling of human tissue," according to Maruca.
Maruca said the company started an investigation in April that lasted until June 7, when they officially confirmed that patient data had been accessed and taken during the attack.
While Maruca does not explicitly say that a ransom was paid, the company was eventually able to regain access to the encrypted data and were told by the attackers that "all exposed data was deleted and is no longer in its possession."
"In an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure," Maruca said. "We are continuing to conduct appropriate monitoring to detect and respond to any misuse or misappropriation of the potentially exposed data."
The company offered free monitoring services for those affected and said it hired a cybersecurity company to secure its systems.
Multiple studies from cybersecurity firms have shown that even after being paid, ransomware gangs often keep or even post stolen information. A Coveware report from November showed that there have been a number of cases where victims have paid attackers and still had their data published online.
Javvad Malik, a security awareness advocate at KnowBe4, told ZDNet that once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation to what the criminals can do with the stolen data.
"This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims," Malik said.
"Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations."
The incident caps off a whirlwind week where multiple healthcare institutions notified patients of breaches that leaked their personal information to attackers or the web. Minnesota Community Care, Cancer Centers of Southwest Oklahoma, San Juan Regional Medical Center, Little Hill Foundation for the Rehabilitation of Alcoholics and St. Joseph's Hospital in Savannah, Georgia all reported breaches or ransomware attacks that led to the exposure of patient data over the last week.
The notices came as US President Joe Biden implored Russian President Vladimir Putin last week to limit attacks on critical industries like healthcare and end protection for groups routinely ransoming hospitals across the US.