Quest-owned ReproSource Fertility Diagnostics, Inc. has notified approximately 350,000 patients whose data may have been accessed in a ransomware attack on Aug 8. The attack by unnamed threat actors was discovered on August 10, and Reprosource quickly severed all network connection activity and contained the incident.

Although they have no evidence that any protected health information was acquired or exfiltrated, the provider is notifying all those whose data was potentially accessed.  Their data included a number of protected health information fields in addition to name:

address, phone number, email address, date of birth, billing and health information, such as CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by you or your treating physician

Quest Diagnostics reported the incident to the SEC on October 8, and DataBreaches.net also found notification by their external counsel to the Maine Attorney General’s Office on October 8.

ReproSource is only the latest in a number of incidents involving fertility clinics or reproductive services.  Some other ransomware attacks on fertility/reproductive entities over the past few years include:

• Colorado Center for Reproductive Medicine in Minneapolis was one of the earlier victims of a ransomware attack that we know about. They were hit in October, 2017.
• Family Planning NSW was hit by a ransomware attack in May 2018.
• Reproductive Medicine and Infertility Associates in Minnesota was hit by a malware attack in December 2018.
• Sincera Reproductive Medicine (formerly known as Abington Reproductive Medicine) was hit by Maze ransomware in September, 2020 as reported by this site, but the breach wasn’t disclosed by Sincera until Mary, 2021. A potential class action lawsuit has been filed over this one.
• US Fertility, LLC disclosed a malware attack in November 2020 that reportedly impacted more than 878,000 patients and resulted in a class action lawsuit.
• Reproductive Biology Associates and its affiliate My Egg Bank North America issued a breach notification in June, 2021 involving a ransomware incident that impacted more than 38,000 Atlanta entities.
• CAREFertility in the U.K. was hit by ransomware.  Their practice showed up as a listing on the Lorenz leak site in early August. The facility has not issued any public statement about the breach but informs DataBreaches.net they notified affected patients individually and notified the ICO. From the removal of the listing, and my contacts with CAREFertility, they appear to have paid the threat actors’ demands.