Georgia Fertility Clinic Hit by Ransomware: Expert Commentary

Reproductive Biology Associates and its affiliate My Egg Bank North America, a Georgia-based fertility clinic, recently disclosed suffering a ransomware attack in April. 

The clinic notified about 38,000 patients that hackers accessed medical data and other personally identifying information in the course of this ransomware attack. This information includes names, addresses, SSNs, laboratory results, and ‘information relating to the handling of human tissue,’ according to Matthew Maruca, general counsel for Reproductive Biology Associates and its affiliate. 

Maruca did not state whether the Georgia fertility clinic paid the ransomware, but did state that the company regained access to all encrypted files and that hackers deleted all stolen data. 

To gain more perspective on this attack, we contacted multiple cybersecurity experts. Here’s what they had to say.  

 Georgia Fertility Clinic Hit by Ransomware: Expert Commentary 

Stephan Chenette

Stephan Chenette is Co-Founder & CTO of AttackIQ.

“The healthcare industry is one of the largest targets for cyber-criminals due to protected health information (PHI) being extremely profitable on dark web marketplaces. Healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come.

Organizations that manage sensitive health information must take proactive approaches to protect their data. To best defend against ransomware, it’s important to understand the common tactics, techniques and procedures used by the adversary. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim.”

Anurag Kahol

Anurag Kahol is CTO and co-founder of Bitglass.

“This data breach is a prime example of the repercussions that occur following a ransomware attack. The personally identifiable information (PII) stolen in this instance, including social security numbers and addresses, is valuable data that can sell for high profits on the dark web or be leveraged by threat actors to impersonate victims or launch phishing attacks against them. Phishing attacks that are highly tailored to the victim (e.g. include personal details) and prey on victims’ emotions (e.g. struggles with infertility) are especially effective. With the increasing frequency in ransomware attacks, enterprises must be more vigilant with their security posture by obtaining full visibility and control over their network and devices. As such, they must adopt modern security technologies that monitor for and prevent suspicious activity such as data loss prevention (DLP), multi-factor authentication (MFA), and user and entity behavior analytics (UEBA). Only then can organizations ensure that their customers’ sensitive data is secure and away from the hands of threat actors.”

Casey Ellis

Casey Ellis is CTO and founder of Bugcrowd. 

“This breach is an intensely personal reminder of the complex cybersecurity risks which exist in all IT security systems. Vulnerabilities exist in every platform, and in spite of the best efforts of companies holding data as sensitive as My Egg Bank exposures can and do happen.  

The notion of securing data as personal as what has been compromised here against the variety of possible threat actors can seem like an insurmountable task, but that’s where the crowd of hackers acting in good faith comes into level the playing field. A crowdsourced cybersecurity approach enables healthcare professionals to assess and mitigate the risks associated with disparate data sources and infrastructure so that patients do not have to worry about the privacy of their data. It’s imperative health organizations up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them.  

By doing so, organizations can learn of security issues before the adversary does, protect their users, and avoid a devastating breach. Failing to ensure security at the scale needed will grant attackers access to large quantities of patient data, as well as the ability to inject ransomware into insecure healthcare networks.” 

Garret Grajek

Garret Grajek is CEO of YouAttest.  

“Dwell time refers to how long hackers remain undetected in an organization’s network.  FireEye Mandiant estimates the average dwell time at 56 days. In the infamous Equifax attackers, which cost the company over $400 million in victim compensation, the attackers remained undetected for 78 days.    

What can be done?  We have to assume an attacker will penetrate our walls – that’s the concept of zero trust.  Once in, we do know what an attacker will do – they follow the known cyber kill chain of events, including lateral movement and privilege escalation – which means they will roam the networks and attempt to increase their privileges for additional access and exfiltration. Organizations must have mechanisms the detect these actions, including triggers on account privileges that communicate to relevant IT and security personnel when the rights of our enterprise identities are being modified.”

Thanks to these experts for their time and expertise on the Georgia fertility clinic ransomware attack. For more, check out the Endpoint Security Buyer’s Guide.