Reproductive Biology Associates and its affiliate My Egg Bank North America issued a breach notification involving a ransomware incident that impacted the Atlanta entities.
According to the notification submitted to Maine’s Attorney General’s Office and similar statements posted on their web sites, the entities
first became aware of a potential data incident on April 16, 2021 when they discovered that a file server containing embryology data was encrypted and therefore inaccessible. They report that they quickly determined that this was a ransomware attack and they shut down the affected server, thus terminating the actor’s access, within the same business day.
Based on their investigation, they believe the threat actor gained access to the system on April 7 and gained access to the server with ePHI on April 10. On June 7, they determined which individuals had been impacted.
The entities do not forthrightly state that they then paid the threat actor’s ransom demand, but that seems to be a justifiable inference given that their next statement was that access to the encrypted files was regained and
We obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession.
While it is not totally impossible that threat actors might voluntarily just delete data, it is highly unlikely and much more likely that these entities paid ransom.
Despite having paid ransom, the entities took other measures to protect patient data: they conducted web searches to see if the data showed up anywhere and note that they are continuing to monitor for that. They do not indicate whether they searched dark web forums as well, but that would be a reasonable approach to include. They have also offered affected individuals credit monitoring services.
For those patients whose data had been accessed or exfiltrated, the data types included name, address, Social Security Number, laboratory results, date of birth, and information relating to the handling of human tissue.
In response to the breach, the entities have taken other steps. They write:
As a result of this incident, we have initiated an investigation through a leading professional IT services firm to conduct interviews and analyze forensic data related to the incident. Specifically, we have deployed device tracking and monitoring to help contain and investigate the scope of the incident, as well as performed forensic analyses to understand the scope of the incident.
We have also applied additional internal controls and have provided additional cybersecurity training to our staff to prevent this type of incident from occurring in the future. These controls include working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems, updating, patching, and in some cases replacing infrastructure to the latest versions, deploying password resets to appropriate users, rebuilding impacted systems, and deploying advanced antivirus and malware protection.
According to their notification to Maine, 38,538 patients were being notified this week.