by Kapua Iao
Article filed in

US fertility sued over ransomware attack

by Kapua Iao

US Fertility logo

Recently, US Fertility (USF) was sued by patients impacted during a September 2020 ransomware attack. USF provides support services for and operates various U.S. fertility clinics.

As a rule, covered entities (CEs) and their business associates (BAs) must utilize strong cybersecurity measures to safeguard patients’ protected health information (PHI).

When CEs do not have solid cybersecurity, a data breach is inevitable along with possible PHI exposure and a HIPAA violation.

RELATED: HIPAA Stands For . . .

Unfortunately, such outcomes are not the only things for CEs to worry about.

What is ransomware?

Ransomware is malware (or malicious software) that essentially holds data hostage (i.e., encrypted) until a victim pays a ransom to have it released.

Victims normally download malware through phishing emails that include malicious attachments or fraudulent links. The idea is to entice a victim to click and/or share user information.

In the past, threat actors stopped at encryption. New groups, however, such as the Maze ransomware group, also exfiltrate data (i.e., steal) before encryption. They then leak some of the data and threaten to publish all of the information to force a bigger payoff.

RELATED: Hackers Release Healthcare Data in Double Extortion Attacks

IT specialists and CEs still debate if healthcare organizations should pay a ransom. Specialists say no, but some CEs are on the fence as they consider the immediate and future costs of ransomware.

These costs include the possibility of a civil lawsuit and its associated costs.

RELATED: Anthem Settles with 44 States for Additional $40M Over 2015 Breach

So what happened with US Fertility?

Threat actors gained access to USF’s system through one of its BAs. USF discovered the breach when hackers encrypted several computers.

At that time, USF hired an outside computer forensic team to remove the malware and fix the encrypted files. The affected devices were reconnected on September 20 though the investigation continued afterward.

The forensic team confirmed that the hackers were in the USF system for over a month to exfiltrate PHI. The attack began on August 12, but USF did not discover the breach until September 14.

Exposed PHI includes:

Names Medical Information
Contact details Health insurance information
Date of birth Diagnoses
Financial account details Treatments
Personal ID numbers
Social Security numbers

RELATED: Personally Identifiable Information [PII]: HIPAA Compliance Key Facts

The review concluded on November 13. Subsequently, USF reported the incident to necessary law enforcement agencies. According to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, the hacking/IT incident affected 878,550 individuals.

The lawsuit against US Fertility

In January 2021, two patients, “individually, and on behalf of all others similarly situated,” filed a lawsuit in the U.S. District Court for Maryland’s Southern Division.

The individuals are suing for negligence, breach of implied contract, unjust enrichment, and violation of the Nevada Deceptive Trade Practices Act.

All because USF did not keep its patients’ PHI secure nor notify patients immediately.

According to the lawsuit, the plaintiffs “suffered irreparable harm and are subject to an increased risk of identity theft.” The possibility of identity theft was mentioned when USF announced the breach in November.

The lawsuit further states, “USF’s carelessness and inadequate data security caused patients of fertility clinics utilizing its services to lose all sense of privacy. The data breach was the result of USF’s inadequate and laxed approach to the data security and protection of its customers’ PII that it collected during business.”

The plaintiffs want USF to be found negligent and for the company to overhaul its cybersecurity. They also want monetary restitution.

Strong protection means strong email security

Ransomware attacks, their associated costs, and the possibility of a lawsuit serves as a reminder to always use strict cybersecurity.

After the recent ransomware attack, USF made some improvements to its firewall and network monitoring capabilities. The company also increased its employee training, especially on email phishing.

But these changes are not enough; and moreover, such practices should have been in place before the attack occurred.

First, all healthcare organizations must perform regular recovery tests and offline backups in case of a data breach. A business continuity plan must not be an afterthought.

Second, it is important to provide nonstop employee awareness training. Not once or twice, but continuously.

And finally, CEs must employ strong email security such as Paubox Email Suite Plus. Our HIPAA compliant email solution requires no change in user behavior, and malicious emails are blocked even before reaching an employee’s inbox.

Moreover, all outbound and inbound email is encrypted by default using TLS email encryption 1.2 or 1.3.

Stop ransomware from causing your organization headaches and do not give your patients the time or desire to file a lawsuit. Protect them and yourself before threat actors attack.

Try Paubox Email Suite Plus for FREE today.