Getty Images

US Fertility Sued Over Ransomware Attack, Health Data Exfiltration

US Fertility, a third-party support services vendor, has been sued by the patients impacted by a ransomware attack that resulted in the exfiltration of health data in September.

US Fertility (USF) has been sued by the individuals impacted by its September ransomware attack, after the threat actors gained access to the third-party vendor’s network for a month and exfiltrated a trove of health data, medical records, and other sensitive data.

USF provides support services for a range of US fertility clinics and operates 50 fertility clinics across the country. In late November, the vendor reported it had fallen victim to a ransomware attack and that a range of patient data from a number of clinics was likely compromised ahead of the malware payload.

The ransomware portion of the attack was discovered on September 14, which encrypted a number of computers on the network.

However, the investigation revealed the hackers stole patient data prior to deploying the encryption malware nearly a month earlier, between August 12 and September 14.

The stolen and accessed data varied by patient and included names, contact details, dates of birth, MPI numbers, medical record information, health insurance data, financial account details, passport numbers, diagnoses, treatments, and Social Security numbers, among other data.

Filed in the US District Court for Maryland’s Southern Division, the lawsuit calls the breach “particularly egregious.” The breach victims are suing USF for negligence, breach of implied contract, unjust enrichment, and violation of the Nevada Deceptive Trade Practices Act.

The lawsuit purports that the victims have also suffered irreparable harm and are now at an increased risk for identity theft. The individuals are now forced to undertake additional security measures to minimize the risk of identity theft and “emotional devastation.”

“USF’s carelessness and inadequate data security caused patients of fertility clinics utilizing its services to lose all sense of privacy,” the lawsuit argues. “The data breach was the result of USF’s inadequate and laxed approach to the data security and protection of its customers’ PII that it collected during business.”

“[The individuals’] rights were disregarded by USF’s reckless and/or negligent failure to take adequate and reasonable measures to ensure its data systems were protected, failure to disclose the material fact that it did not have adequate computer systems and security practices to safeguard PII, [and] failure to take available steps to prevent the data breach, “ it adds.

The lawsuit also argues the USF’s security policies lacked appropriate monitor abilities to detect the breach in a timely fashion.

As such, the patients are at a heightened risk of data theft, unauthorized financial charges, costs associated with detection and prevent of identity theft from the stolen information, and damages stemming from the inability to use credit or debit cards suspended as a result of fraudulent charges, among other potential harms.

The lawsuit also contains a number of issues patients have experienced as a direct result of the data incident, including reduced credit scores and fraudulent unemployment attempts.

The breach victims are asking the lawsuit to be certified as class action, as well as restitution for the costs incurred as a direct result of the data breach.

The lawsuit is also seeking a requirement for USF to implement proper data security policies and practices, including encryption measures for all data collected, requiring the deletion or destruction of lawsuit members’ personally identifiable information, and mandating the implementation of a comprehensive information security program.

The victims also want USF to be required to engage with an outside security auditor or penetration tester, as well as internal security personnel to conduct pen testing, simulate attacks,  anaudit of all USF systems to identify and correct potential security vulnerabilities.

The third-party auditor would also be tasked with running automated security monitoring and implementing proper segmentation, access controls, database scanning, and firewalls, as well as training and testing all workforce members.

“The injuries [individuals] suffered were directly and proximately caused by USF’s failure to implement or maintain adequate data security measures for PII,” according to the lawsuit. “[individuals] retain a significant interest in ensuring that their PII, which remains in USF’s possession, is protected from further breaches, and seek to remedy the harms suffered as a result of the Data Breach for themselves and on behalf of similarly situated consumers whose PII was stolen.”

Health data breach lawsuits have become increasingly common in light of the current threat landscape but to mixed results -- and most are settled out of court.

Most recently, a Delaware judge tossed a lawsuit against Brandywine Urology Consultants a year after it was filed, as the victims did not provide evidence of actual harm. The case may prove an example for future data breach lawsuits and the need for victims to demonstrate actual harm.

Next Steps

Dig Deeper on Health data access & privacy