Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH

Fertility Testing Lab Says Ransomware Breach Affects 350,000

Also, NJ AG Smacks Fertility Clinic With Big Fine in Hacking Incident
Fertility Testing Lab Says Ransomware Breach Affects 350,000
Quest Diagnostics says a ransomware attack on its fertility test lab subsidiary, ReproSource, affected 350,000 patients.

A flurry of hacking incidents and other recent breach developments highlight the cyberthreats and risks facing fertility healthcare and other related specialty providers that handle sensitive patient information.

See Also: Best Practices to Protect Communication and Email Fraud with Technology

In a filing on Friday with the U.S. Securities and Exchange Commission, medical laboratory testing company Quest Diagnostics says an August 2021 ransomware attack on its ReproSource fertility-focused laboratory subsidiary has led to the potential compromise of personal information of approximately 350,000 patients.

A data security incident notice posted by Marlborough, Massachusetts-based ReproSource on its website says its analysis to date indicates that information in files that may have been accessed or acquired without authorization include names, addresses, phone numbers, email addresses, dates of birth, billing and health information, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or treating physicians.

ReproSource also says that for a small group of individuals, affected information may have included numbers for driver’s licenses, passports, Social Security accounts, financial accounts, and/or credit card accounts.

Meanwhile, on Tuesday, New Jersey acting Attorney General Andrew Bruck and the state's Division of Consumer Affairs announced a $495,000 financial settlement and corrective action plan with Diamond Institute for Infertility and Menopause LLC related to a hacking incident reported in April 2017 that affected nearly 15,000 individuals.

The financial settlement includes a $412,300 civil monetary penalty, plus $82,700 to reimburse the Division of Consumer Affairs for attorneys’ fees and investigative costs.

The Millburn, New Jersey-based Diamond Institute's fertility and women's healthcare practice operates two clinics in New Jersey and one in New York and offers consultation services in Bermuda.

Other Data Security Incidents

The ReproSource ransomware attack and New Jersey's breach settlement with Diamond are among the latest data security incidents and related fallout involving fertility healthcare services providers.

In June, Reproductive Biology Associates, an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, reported that their systems had been hit by a ransomware attack in April.

The Department of Health and Human Services' HIPAA Breach Reporting Tool listing health data breaches affecting 500 or more individuals shows that Reproductive Biology Associates reported the incident as a HIPAA breach affecting 38,000.

Among the largest breaches reported in 2020 was a ransomware incident affecting nearly 879,000 individuals reported last November by Maryland-based US Fertility, a business associate that provides IT and other support services to a network of fertility practices operating in several states.

So far, at least one class action lawsuit has been filed against the company related to that incident.

Also, a ransomware-related breach by Women’s Care Florida LLC affected nearly 529,000 individuals and was one of the largest health data breaches reported in 2019.

"The uniquely complex U.S. model of healthcare service and provisioning creates more cybercrime opportunities."
—Jim Van Dyke, Sontiq

Besides the rash of data breaches involving fertility healthcare entities, other specialty healthcare providers, including mental health clinics, that also handle particularly sensitive health information have been the targets of recent hacking incidents (see: Mental Health Clinic Notifies Patients 6 Months After Hack).

Valuable Private Data

Overall, healthcare sector organizations are experiencing more ransomware and other security attacks for several reasons, says Jim Van Dyke, a senior vice president at security firm Sontiq, which analyzes and rates the severity of data breaches based on the type of information compromised.

"They are more likely to have all sorts of private data - personally identifiable information, PHI, and event payment data of highest monetary value to cybercriminals - because they work directly with consumers in an intimate manner," he says.

Also, many healthcare sector entities are likely spending less on security relative to other industry sectors that have comparable amounts of highest-value private consumer data," he notes.

"The uniquely complex U.S. model of healthcare service and provisioning creates more cybercrime opportunities."

ReproSource Ransomware Attack

In its SEC filing, Quest Diagnostics says ReproSource in August discovered the presence of ransomware, quickly contained the malware and securely restored operations. It also immediately launched an investigation and retained cybersecurity experts to determine the cause and scope of the incident, and notified law enforcement, Quest says.

Quest Diagnostics’ systems were not affected by the incident, the SEC filing notes.

"Quest Diagnostics maintains cybersecurity insurance and does not believe this incident will have a material impact on its business, results of operations or financial condition," the filing says.

Quest Diagnostics Statement

Quest Diagnostics in a statement provided to Information Security Media Group saysthat while the company's investigation into the incident did not confirm that an unauthorized party acquired data in the incident, ReproSource, out of an abundance of caution, is notifying individuals whose personal information may have been accessed.

"ReproSource will continue to review our physical and electronic safeguards to protect personal information and take appropriate steps to safeguard patient information and our systems," the statement says. "Following the incident, we enhanced our cybersecurity by adding additional monitoring and detection tools as additional safeguards against ransomware and other cyberthreats."

The company did not respond to ISMG's request for additional details about the ReproSource ransomware incident.

Diamond Institute Settlement

In its statement about the Diamond Institute settlement, the New Jersey attorney general's office says the practice's data breach "allowed multiple instances of unauthorized access" to Diamond’s network for more than five months, between August 2016 and January 2017, giving at least one intruder access to consumers' electronic PHI.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” Bruck says in the statement. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable." The state's settlement with Diamond "sends the message that such privacy lapses come with significant consequences, Bruck says.

The state's investigation into the Diamond breach resulted in allegations that the practice violated the New Jersey Consumer Fraud Act and the federal HIPAA Privacy and Security Rules, the statement says.

The alleged violations include failing to:

  • Conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Encrypt ePHI;
  • Implement proper procedures for creating, changing and safeguarding passwords;
  • Implement procedures to verify that the individual seeking access to ePHI is who they claim to be.

Diamond disputes the state's allegations, the New Jersey attorney general office's statement notes.

Diamond did not immediately respond to ISMG's request for comment on the settlement.

Corrective Actions

The state's consent order in the settlement requires Diamond to bolster its data security practices, including:

  • Developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • Appointing a new HIPAA privacy and security officer with the appropriate background and expertise;
  • Training employees on information privacy and security policies, and proper handling and protection of PHI and PII;
  • Developing and implementing a written incident response and data breach notification plan;
  • Implementing information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.

Other State Actions

The Diamond case is not the first HIPAA-related settlement involving a state attorney general’s office. In 2018, the attorneys general of New Jersey and New York each slapped health insurer EmblemHealth with state financial penalties in connection with a 2016 breach that exposed Social Security numbers on mailings to tens of thousands of plan members in both states.

Also, in November 2020, former New Jersey Attorney General Gurbir Grewal and the state’s Division of Consumer Affairs slapped Keasbey, New Jersey-based Wakefern Food Corp., the largest retailer-owned cooperative in the U.S., and two of its associated ShopRite supermarket entities with a $235,000 financial settlement and corrective action plan in the aftermath of an incident that involving improperly discarded devices containing personal information of more than 9,700 New Jersey residents.

"Healthcare firms must constantly look for opportunities to place practical limits on how much data is being exposed to team members - because limited exposure to healthcare practitioners can also create difficulties for hackers," Van Dyke says.

"Healthcare leaders need to push government leaders to not just penalize them for exposing data, but to also move toward centralized healthcare servicing that will help make cybersecurity attacks less common."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.