Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH
Fertility Testing Lab Says Ransomware Breach Affects 350,000
Also, NJ AG Smacks Fertility Clinic With Big Fine in Hacking IncidentA flurry of hacking incidents and other recent breach developments highlight the cyberthreats and risks facing fertility healthcare and other related specialty providers that handle sensitive patient information.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
In a filing on Friday with the U.S. Securities and Exchange Commission, medical laboratory testing company Quest Diagnostics says an August 2021 ransomware attack on its ReproSource fertility-focused laboratory subsidiary has led to the potential compromise of personal information of approximately 350,000 patients.
A data security incident notice posted by Marlborough, Massachusetts-based ReproSource on its website says its analysis to date indicates that information in files that may have been accessed or acquired without authorization include names, addresses, phone numbers, email addresses, dates of birth, billing and health information, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or treating physicians.
ReproSource also says that for a small group of individuals, affected information may have included numbers for driver’s licenses, passports, Social Security accounts, financial accounts, and/or credit card accounts.
Meanwhile, on Tuesday, New Jersey acting Attorney General Andrew Bruck and the state's Division of Consumer Affairs announced a $495,000 financial settlement and corrective action plan with Diamond Institute for Infertility and Menopause LLC related to a hacking incident reported in April 2017 that affected nearly 15,000 individuals.
The financial settlement includes a $412,300 civil monetary penalty, plus $82,700 to reimburse the Division of Consumer Affairs for attorneys’ fees and investigative costs.
The Millburn, New Jersey-based Diamond Institute's fertility and women's healthcare practice operates two clinics in New Jersey and one in New York and offers consultation services in Bermuda.
Other Data Security Incidents
The ReproSource ransomware attack and New Jersey's breach settlement with Diamond are among the latest data security incidents and related fallout involving fertility healthcare services providers.
In June, Reproductive Biology Associates, an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, reported that their systems had been hit by a ransomware attack in April.
The Department of Health and Human Services' HIPAA Breach Reporting Tool listing health data breaches affecting 500 or more individuals shows that Reproductive Biology Associates reported the incident as a HIPAA breach affecting 38,000.
Among the largest breaches reported in 2020 was a ransomware incident affecting nearly 879,000 individuals reported last November by Maryland-based US Fertility, a business associate that provides IT and other support services to a network of fertility practices operating in several states.
So far, at least one class action lawsuit has been filed against the company related to that incident.
Also, a ransomware-related breach by Women’s Care Florida LLC affected nearly 529,000 individuals and was one of the largest health data breaches reported in 2019.
"The uniquely complex U.S. model of healthcare service and provisioning creates more cybercrime opportunities."
—Jim Van Dyke, Sontiq
Besides the rash of data breaches involving fertility healthcare entities, other specialty healthcare providers, including mental health clinics, that also handle particularly sensitive health information have been the targets of recent hacking incidents (see: Mental Health Clinic Notifies Patients 6 Months After Hack).
Valuable Private Data
Overall, healthcare sector organizations are experiencing more ransomware and other security attacks for several reasons, says Jim Van Dyke, a senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised.
"They are more likely to have all sorts of private data - personally identifiable information, PHI, and event payment data of highest monetary value to cybercriminals - because they work directly with consumers in an intimate manner," he says.
Also, many healthcare sector entities are likely spending less on security relative to other industry sectors that have comparable amounts of highest-value private consumer data," he notes.
"The uniquely complex U.S. model of healthcare service and provisioning creates more cybercrime opportunities."
ReproSource Ransomware Attack
In its SEC filing, Quest Diagnostics says ReproSource in August discovered the presence of ransomware, quickly contained the malware and securely restored operations. It also immediately launched an investigation and retained cybersecurity experts to determine the cause and scope of the incident, and notified law enforcement, Quest says.
Quest Diagnostics’ systems were not affected by the incident, the SEC filing notes.
"Quest Diagnostics maintains cybersecurity insurance and does not believe this incident will have a material impact on its business, results of operations or financial condition," the filing says.
Quest Diagnostics Statement
Quest Diagnostics in a statement provided to Information Security Media Group saysthat while the company's investigation into the incident did not confirm that an unauthorized party acquired data in the incident, ReproSource, out of an abundance of caution, is notifying individuals whose personal information may have been accessed.
"ReproSource will continue to review our physical and electronic safeguards to protect personal information and take appropriate steps to safeguard patient information and our systems," the statement says. "Following the incident, we enhanced our cybersecurity by adding additional monitoring and detection tools as additional safeguards against ransomware and other cyberthreats."
The company did not respond to ISMG's request for additional details about the ReproSource ransomware incident.
Diamond Institute Settlement
In its statement about the Diamond Institute settlement, the New Jersey attorney general's office says the practice's data breach "allowed multiple instances of unauthorized access" to Diamond’s network for more than five months, between August 2016 and January 2017, giving at least one intruder access to consumers' electronic PHI.
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” Bruck says in the statement. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable." The state's settlement with Diamond "sends the message that such privacy lapses come with significant consequences, Bruck says.
The state's investigation into the Diamond breach resulted in allegations that the practice violated the New Jersey Consumer Fraud Act and the federal HIPAA Privacy and Security Rules, the statement says.
The alleged violations include failing to:
- Conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
- Encrypt ePHI;
- Implement proper procedures for creating, changing and safeguarding passwords;
- Implement procedures to verify that the individual seeking access to ePHI is who they claim to be.
Diamond disputes the state's allegations, the New Jersey attorney general office's statement notes.
Diamond did not immediately respond to ISMG's request for comment on the settlement.
Corrective Actions
The state's consent order in the settlement requires Diamond to bolster its data security practices, including:
- Developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- Appointing a new HIPAA privacy and security officer with the appropriate background and expertise;
- Training employees on information privacy and security policies, and proper handling and protection of PHI and PII;
- Developing and implementing a written incident response and data breach notification plan;
- Implementing information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.
Other State Actions
The Diamond case is not the first HIPAA-related settlement involving a state attorney general’s office. In 2018, the attorneys general of New Jersey and New York each slapped health insurer EmblemHealth with state financial penalties in connection with a 2016 breach that exposed Social Security numbers on mailings to tens of thousands of plan members in both states.
Also, in November 2020, former New Jersey Attorney General Gurbir Grewal and the state’s Division of Consumer Affairs slapped Keasbey, New Jersey-based Wakefern Food Corp., the largest retailer-owned cooperative in the U.S., and two of its associated ShopRite supermarket entities with a $235,000 financial settlement and corrective action plan in the aftermath of an incident that involving improperly discarded devices containing personal information of more than 9,700 New Jersey residents.
"Healthcare firms must constantly look for opportunities to place practical limits on how much data is being exposed to team members - because limited exposure to healthcare practitioners can also create difficulties for hackers," Van Dyke says.
"Healthcare leaders need to push government leaders to not just penalize them for exposing data, but to also move toward centralized healthcare servicing that will help make cybersecurity attacks less common."