38,000 of RBA’s customers had their embryology data stolen by a ransomware gang.

Approximately 38,000 of RBA’s customers had their embryology data stolen by a ransomware gang.

Reproductive Biology Associates says the data of approximately 38,000 people may have been exposed in an April ransomware attack. In a letter from the Georgia-based fertility clinic, together with its affiliate My Egg Bank North America, attorney Matthew Maruca said the organization first became aware of a potential incident on April 16 when it discovered that a file server containing embryology data was encrypted and inaccessible.

RBA disclosed the breach on Friday. The company said that cyberattackers were able to infiltrate its network on April 7, before moving laterally to a server housing sensitive patient information three days later, on April 10. RBA discovered the attack on April 16. “We discovered that a file server containing embryology data was encrypted and therefore inaccessible,” according to the notice. “We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day.”

The attackers stole names, addresses, SSNs, laboratory results and “information relating to the handling of human tissue,” according to Maruca. 

The company offered free monitoring services for those affected and said it hired a cybersecurity company to secure its systems. Multiple studies from cybersecurity firms have shown that even after being paid, ransomware gangs often keep or even post stolen information. A Coveware report from November showed that there have been a number of cases where victims have paid attackers and still had their data published online. 

“Organizations such as fertility clinics may consider themselves as lower risk than, say, hospitals, but the truth is that they have just as much sensitive personal information that is of value to criminals and can disrupt daily operations,” said Javvad Malik, security awareness advocate at KnowBe4, via email. “Once data has been accessed by criminals, even if an organization can restore from backup or pay a ransom, there is no limitation of what the criminals can do with the stolen data. This can include selling the data on to other criminals or using the data themselves to attack unsuspecting victims.”