US fertility sued over ransomware attack
by Kapua Iao
RELATED: HIPAA Stands For . . .
Unfortunately, such outcomes are not the only things for CEs to worry about.
What is ransomware?
Ransomware is malware (or malicious software) that essentially holds data hostage (i.e., encrypted) until a victim pays a ransom to have it released.
Victims normally download malware through phishing emails that include malicious attachments or fraudulent links. The idea is to entice a victim to click and/or share user information.
In the past, threat actors stopped at encryption. New groups, however, such as the Maze ransomware group, also exfiltrate data (i.e., steal) before encryption. They then leak some of the data and threaten to publish all of the information to force a bigger payoff.
These costs include the possibility of a civil lawsuit and its associated costs.
So what happened with US Fertility?
Threat actors gained access to USF’s system through one of its BAs. USF discovered the breach when hackers encrypted several computers.
At that time, USF hired an outside computer forensic team to remove the malware and fix the encrypted files. The affected devices were reconnected on September 20 though the investigation continued afterward.
The forensic team confirmed that the hackers were in the USF system for over a month to exfiltrate PHI. The attack began on August 12, but USF did not discover the breach until September 14.
Exposed PHI includes:
|Contact details||Health insurance information|
|Date of birth||Diagnoses|
|Financial account details||Treatments|
|Personal ID numbers|
|Social Security numbers|
The review concluded on November 13. Subsequently, USF reported the incident to necessary law enforcement agencies. According to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, the hacking/IT incident affected 878,550 individuals.
The lawsuit against US Fertility
In January 2021, two patients, “individually, and on behalf of all others similarly situated,” filed a lawsuit in the U.S. District Court for Maryland’s Southern Division.
The individuals are suing for negligence, breach of implied contract, unjust enrichment, and violation of the Nevada Deceptive Trade Practices Act.
All because USF did not keep its patients’ PHI secure nor notify patients immediately.
According to the lawsuit, the plaintiffs “suffered irreparable harm and are subject to an increased risk of identity theft.” The possibility of identity theft was mentioned when USF announced the breach in November.
The lawsuit further states, “USF’s carelessness and inadequate data security caused patients of fertility clinics utilizing its services to lose all sense of privacy. The data breach was the result of USF’s inadequate and laxed approach to the data security and protection of its customers’ PII that it collected during business.”
The plaintiffs want USF to be found negligent and for the company to overhaul its cybersecurity. They also want monetary restitution.
Strong protection means strong email security
Ransomware attacks, their associated costs, and the possibility of a lawsuit serves as a reminder to always use strict cybersecurity.
But these changes are not enough; and moreover, such practices should have been in place before the attack occurred.
First, all healthcare organizations must perform regular recovery tests and offline backups in case of a data breach. A business continuity plan must not be an afterthought.
Second, it is important to provide nonstop employee awareness training. Not once or twice, but continuously.
And finally, CEs must employ strong email security such as Paubox Email Suite Plus. Our HIPAA compliant email solution requires no change in user behavior, and malicious emails are blocked even before reaching an employee’s inbox.
Moreover, all outbound and inbound email is encrypted by default using TLS email encryption 1.2 or 1.3.
Stop ransomware from causing your organization headaches and do not give your patients the time or desire to file a lawsuit. Protect them and yourself before threat actors attack.