Quest Diagnostics has informed the SEC about a ransomware attack in August that hit ReproSource, a fertility clinic owned by the company.
The ransomware attack led to a data breach, exposing a significant amount of health and financial information for about 350,000 ReproSource patients.
In a statement to ZDNet, Quest said ReproSource provided notice that it experienced a data security incident in which an unauthorized party may have accessed or acquired the protected health information and personally identifiable information of some patients.
"On August 8, 2021, an unauthorized party accessed the ReproSource network. ReproSource discovered ransomware on the morning of August 10, and in less than an hour severed all network connection activity and contained the incident," a company spokesperson explained.
"ReproSource immediately launched a comprehensive investigation to determine the cause and scope of the incident. ReproSource retained leading cybersecurity experts to assist with our investigation, confirmed containment of the ransomware, and quickly and securely recovered operations. Additionally, ReproSource promptly notified law enforcement."
Quest added that ReproSource began sending out breach notification letters to victims on September 24.
The letters tell victims that the personal information leaked during the ransomware attack includes names, addresses, phone numbers, email addresses, dates of birth and billing information.
A trove of health information was also leaked during the attack, including CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers and other information provided by individuals or by treating physicians.
The company admitted that an undisclosed number of people also had driver's license numbers, passport numbers, Social Security numbers, financial account numbers, and/or credit card numbers leaked in the attack.
News of the breach came to light after a regulatory filing by Quest, which said the larger company was not affected by the incident at ReproSource but confirmed that it was a ransomware attack. Quest noted that it has cybersecurity insurance and does not believe it will have a severe effect on the company's finances as other ransomware attacks have.
ReproSource is providing victims with free credit and identity monitoring services from Kroll but did not say how long these services would last.
ReproSource is the second fertility clinic this year to send out breach notifications after a ransomware attack.
Georgia-based Reproductive Biology Associates, and its affiliate My Egg Bank North America, notified about 38,000 patients that cybercriminals had accessed their medical information and other data like social security numbers during a ransomware attack in April.
Healthcare facilities continue to face the brunt of ransomware attacks worldwide, specifically because of the sensitive data they are forced to collect on patients, employees and visitors.
Hundreds have been attacked this year, and the problem has shown no signs of slowing down.
"Like with other critical infrastructure, healthcare systems face unique vulnerability from ransomware attacks because the exposed data affects not only patients' privacy, but also their choices about medical treatment. Fertility treatments are a perfect example of this, as they can require up to tens of thousands of dollars in investments from prospective parents, making this sector a perfect target for bad actors looking for a profit," said Tim Eades, CEO at cybersecurity company vArmour.
"It's a reality that ransomware will continue to target fertility clinics and other health systems for their valuable data."