Recently, US Fertility (USF) was sued by patients impacted during a September 2020 ransomware attack. USF provides support services for and operates various U.S. fertility clinics. As a rule, covered entities (CEs) and their business associates (BAs) must utilize strong cybersecurity measures to safeguard patients’ protected health information (PHI). When CEs do not have solid cybersecurity, a data breach is inevitable along with possible PHI exposure and a HIPAA violation.
RELATED: HIPAA Stands For . . .
Unfortunately, such outcomes are not the only things for CEs to worry about.
Ransomware is malware (or malicious software) that essentially holds data hostage (i.e., encrypted) until a victim pays a ransom to have it released. Victims normally download malware through phishing emails that include malicious attachments or fraudulent links. The idea is to entice a victim to click and/or share user information. In the past, threat actors stopped at encryption. New groups, however, such as the Maze ransomware group, also exfiltrate data (i.e., steal) before encryption. They then leak some of the data and threaten to publish all of the information to force a bigger payoff.
RELATED: Hackers Release Healthcare Data in Double Extortion Attacks
IT specialists and CEs still debate if healthcare organizations should pay a ransom. Specialists say no, but some CEs are on the fence as they consider the immediate and future costs of ransomware. These costs include the possibility of a civil lawsuit and its associated costs.
RELATED: Anthem Settles with 44 States for Additional $40M Over 2015 Breach
Threat actors gained access to USF’s system through one of its BAs. USF discovered the breach when hackers encrypted several computers. At that time, USF hired an outside computer forensic team to remove the malware and fix the encrypted files. The affected devices were reconnected on September 20 though the investigation continued afterward. The forensic team confirmed that the hackers were in the USF system for over a month to exfiltrate PHI. The attack began on August 12, but USF did not discover the breach until September 14. Exposed PHI includes:
Names | Medical Information |
Contact details | Health insurance information |
Date of birth | Diagnoses |
Financial account details | Treatments |
Personal ID numbers | Social Security numbers |
RELATED: Personally Identifiable Information [PII]: HIPAA Compliance Key Facts
The review concluded on November 13. Subsequently, USF reported the incident to necessary law enforcement agencies. According to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, the hacking/IT incident affected 878,550 individuals.
In January 2021, two patients, “individually, and on behalf of all others similarly situated,” filed a lawsuit in the U.S. District Court for Maryland’s Southern Division. The individuals are suing for negligence, breach of implied contract, unjust enrichment, and violation of the Nevada Deceptive Trade Practices Act. All because USF did not keep its patients’ PHI secure nor notify patients immediately. According to the lawsuit, the plaintiffs “suffered irreparable harm and are subject to an increased risk of identity theft.” The possibility of identity theft was mentioned when USF announced the breach in November. The lawsuit further states, “USF’s carelessness and inadequate data security caused patients of fertility clinics utilizing its services to lose all sense of privacy. The data breach was the result of USF’s inadequate and laxed approach to the data security and protection of its customers’ PII that it collected during business.” The plaintiffs want USF to be found negligent and for the company to overhaul its cybersecurity. They also want monetary restitution.