Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response
Ransomware Attack Compromises Fertility Patients' RecordsClinic Says It Regained Control of Network, Data
Reproductive Biology Associates, an Atlanta-based clinic operator, and its affiliate, MyEggBank North America, report their systems were hit by a ransomware attack in April but say they regained control of their network and data after contacting the attackers.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The clinic operator did not confirm that it had paid a ransom or explain how it was able to gain access to its systems or data.
"Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession," Matthew K. Maruca, the organization's general counsel, said in a statement. "In an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure."
The reproductive clinic operator said it discovered the attack on April 16 when a server containing embryology data was encrypted. An investigation into the incident found the attackers first gained access to the organization's network on April 7 and three days later accessed a server containing protected health information for 38,000 patients.
The organization did not say what type of ransomware was involved or identify the attacker.
The compromised data included full names, addresses, Social Security numbers, laboratory results and information relating to the handling of human tissue, Maruca says.
Maruca did not immediately respond to a request for additional information.
Javvad Malik, security awareness advocate with KnowBe4, says: "While the wording [on the organization's statement] doesn't say explicitly that a ransom was paid, the fact that access to the files was regained and confirmation was obtained from the actor that all exposed data was deleted confirms that some negotiation took place, and it would strongly point to the fact that a payment of some sort was made."
Reproductive Biology Associates reports that it's continuing its investigation into the attack and has deployed device tracking and monitoring to help contain and investigate the scope of the incident.
"We have also applied additional internal controls and have provided additional cybersecurity training to our staff to prevent this type of incident from occurring in the future," Maruca said in the statement. "These controls include working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems; updating, patching and in some cases replacing infrastructure to the latest versions; deploying password resets to appropriate users; rebuilding impacted systems; and deploying advanced antivirus and malware protection."
Those affected by the data exposure are being offered free credit monitoring for one year.
Paying the Ransom?
The debate on whether it's ever justifiable to pay an attacker's ransom demand was brought to the fore once again last month when Colonial Pipeline Co. admitted to having paid the DarkSide ransomware gang $4.4 million to receive a decryptor. The FBI was able to recover about half the ransom paid (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).
The bureau and other law enforcement agencies say that paying a ransom, in addition to spurring further crime incidents, may not result in the decryption of data or the fulfillment of criminals' promises to destroy or return stolen data.
"If there was an outright prohibition on paying ransom, backed up by [Department of Homeland Security] Secretary [Alejandro] Mayorkas' 'response and recovery fund,' we would break the business model of ransomware operators," says Mike Hamilton, former CISO for the city of Seattle, who is the co-founder of CI Security.
But Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security, says it's difficult to criticize businesses for paying ransoms because they have to consider many factors, including for example, potential harm to patients as well as the viability of the organization.