The Marlborough, MA-based fertility-related medical laboratory ReproSource Fertility Diagnostics has started notifying around 350,000 of its patients about a cyberattack in which patient data was potentially compromised. The Quest Diagnostics subsidiary said unauthorized individuals gained access to its systems on August 8, 2021 and deployed ransomware. The breach was discovered on the morning of August 10, 2021, and, within an hour, network connections had been severed to contain the attack and prevent any further unauthorized access.
Third-party cybersecurity experts were engaged to assist with the investigation and determine the cause and scope of the security breach. The laboratory said it was able to quickly contain the incident and securely recovered operations quickly. A comprehensive review of all systems that may have been accessed by the hackers confirmed patients’ protected health information may have been viewed, including the following:
Names, phone numbers, addresses, email addresses, dates of birth, billing information, CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. Some individuals also had their driver’s license number, passport number, Social Security number, financial account numbers, and/or credit card numbers stored on the affected systems.
It is unclear at this stage of the investigation if any of the above information was acquired by the attackers. Data theft has not been ruled out. ReproSource said it has enhanced safeguards for patient data and has implemented additional monitoring and detection tools. Affected individuals have been offered complimentary access to credit monitoring and identity theft protection services.
The ransomware attack is the latest in a string of attacks on operators of fertility clinics. In June 2021, Reproductive Biology Associates said it suffered a ransomware attack that also affected its affiliate, MyEggBank North America and US Fertility was attacked in late 2020 which resulted in the exposure of the protected health information of 879,000 individuals.