Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois

Fertility Centers of Illinois (FCI) has recently notified 79,943 current and former patients that some of their protected health information may have been viewed or obtained by unauthorized individuals.

FCI identified suspicious network activity on February 1, 2021, and took prompt action to secure its systems. Independent forensic investigators were then engaged to determine the nature and scope of the security breach.

FCI had implemented security measures to keep patient data secure, and those measures ensured its electronic medical record system could not be accessed; however, the attackers were found to have accessed administrative files and folders. A review of those files confirmed on August 27, 2021, that they contained a range of patient data including names in combination with one or more of the following types of information:

Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs or account login information.

Employee information was also potentially compromised including names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence, and sickness certificates.

FCI said it had strict security measures in place to prevent unauthorized data access, but the attackers were able to bypass those controls. Steps have since been taken to further secure its systems, data, and equipment, including implementing enterprise-class identity verification software and providing additional training to the workforce on security practices.

All affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services for 12 months through Equifax.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.