Service provider to fertility clinics discloses malware attack
A press release from US Fertility (“USF”) follows. The Center for Fertility and Gynecology in California is not listed among USF entities in the press release. I mention that because the Center for Fertility and Gynecology still has not posted anything on their site or issued any press release about a ransomware attack that NetWalker claimed in August. Nor have they responded to inquiries from this site about the alleged attack. But USF’s attack, described below, did impact a number of other infertility clinics, it seems:
ROCKVILLE, Md., Nov. 25, 2020 /PRNewswire/ — US Fertility (“USF”) is providing notice of a recent incident that may affect the security of certain individuals’ protected health information. USF provides IT platforms and services to several infertility clinics, including Georgia Reproductive Specialists, LLC d/b/a SGF Atlanta, Center for Reproductive Endocrinology, Center for Reproductive Medicine & Advanced Reproductive Technologies, Center for Reproductive Medicine Alabama, Center for Reproductive Medicine Orlando, Coastal Fertility Specialists, Fertility Centers of Illinois, LLC, Fertility Partners of Pennsylvania Surgery Center, LLC, Idaho Center for Reproductive Medicine, Nevada Center for Reproductive Medicine, Nevada Fertility Center, New York Fertility Medical Practice, PLLC d/b/a SGF New York, Northwest Center for Infertility and Reproductive Endocrinology, LLP d/b/a IVF Florida Reproductive Associates, Reproductive Endocrinology Associates of Charlotte, Reproductive Partners Fertility Center – San Diego, Reproductive Partners Medical Group, Inc., Reproductive Science Center of the San Francisco Bay Area, Seattle Reproductive Medicine, SGF Tampa Bay, LLC, Shady Grove Fertility Center of Pennsylvania, PLLC, Shady Grove Reproductive Science Center, P.C., Sher Institute of Reproductive Medicine New York, Sher Institute of Reproductive Medicine St. Louis, UNC Fertility, Utah Fertility Center, Virginia Fertility Associates, LLC d/b/a SGF Richmond, and Virginia IVF and Andrology Center, LLC.
“We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals,” said Mark Segal, Chief Executive Officer of USF.
On September 14, 2020, USF experienced an IT security event (the “Incident”) that involved the inaccessibility of certain computer systems on our network as a result of a malware infection. We responded to the Incident immediately and retained third-party computer forensic specialists to assist in our investigation. Through our immediate investigation and response, we determined that data on a number of servers and workstations connected to our domain had been encrypted by ransomware. We proactively removed a number of systems from our network upon discovering the Incident. With the assistance of our third-party computer forensic specialists, we remediated the malware identified, ensured the security of our environment, and reconnected systems on September 20, 2020. We also notified federal law enforcement authorities of the Incident and continue to cooperate with their investigation. The forensic investigation is now concluded and confirmed that the unauthorized actor acquired a limited number of files during the period of unauthorized access, which occurred between August 12, 2020 and September 14, 2020, when the ransomware was executed.
We have been working diligently with a specialized team of third-party data auditors to perform a comprehensive review of all information contained in the files accessed without authorization as a result of the Incident. The purpose of this review was to accurately identify any individuals whose personal information may have been present within the impacted files and therefore accessible to the unauthorized actor.
On November 13, 2020, we began receiving the results of this review and determined that the following information relating to certain individuals was included in the impacted files when they were accessed without authorization: names, addresses, dates of birth, MPI numbers, and Social Security numbers. The types of information impacted vary by individual, and we determined that for many individuals, Social Security numbers were not impacted. Please also note that we have no evidence of actual misuse of any individual’s information as a result of the Incident.
In response to the Incident, USF has taken the following actions to mitigate any risk of compromise to information involved and to better prevent a similar event from recurring: (1) fortified the security of our firewall; (2) utilized the forensic specialists engaged to monitor network activity and remediate any suspicious activity; (3) provided notification to potentially impacted individuals as quickly as possible. We are also adapting our existing employee training protocols relating to data protection and security, including training targeted at recognizing phishing emails. We believe these steps will be effective in mitigating any potential harm to individuals. As always, we encourage individuals to review account statements, explanations of benefits, and credit reports carefully for unexpected activity and to report any questionable activity to the associated institutions immediately.
We sincerely apologize that this Incident occurred and remain committed to safeguarding the privacy and security of the information entrusted to us. We have established a dedicated call center for individuals to contact with questions or concerns. If you have any questions regarding this Incident that are not addressed in this notice, please contact our assistance line, which can be reached at 855-914-4699 (toll free), Monday through Friday from 9:00 am to 9:00 pm EST, excluding U.S. holidays.
Additional background on USF can be found here, although I have yet to find an actual web site for them.