PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates
The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers. The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue. The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered. Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will...
1 Billion-Record Database of Searches of CVS Website Exposed Online
A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to CVS.com and CVSHealth.com, typically for information about medications an COVID-19 vaccines. It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address. The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly...
Prominence Health Plan Data Breach Impacts up to 45,000 Individuals
The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network. While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials. The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000...
San Juan Regional Medical Center Data Breach Affects 68,792 Patients
San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach. The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of its patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following data elements: Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. While data theft was confirmed, no evidence has been found to indicate any of the...
Bipartisan Group of Senators Introduce Draft Federal Data Breach Notification Bill
A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline. The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide...



