Ransomware Attack Impacts 50,000 Patients of ReproSource Fertility Diagnostics

ReproSource Fertility Diagnostics a Malborough, MA-based clinic has experienced a ransomware attack that allowed cybercriminals to illegally gain access to databases that were holding the PHI of approximately 350,000 patients.

ReproSource is a large laboratory that services reproductive health clinics and is operated by Quest Diagnostics. ReproSource first noticed the ransomware infiltration on August 10, 2021 and quickly moved to disable network connections to mitigate the intrusion and to stop further access attempts from being successful. An in depth official review of the security breach found that the attack took place at some point in time on August 8.

While there is a chance that private patient data may have been stolen by the cyber criminals before the deployment of the ransomware, nothing has been found so far to suggest that data theft was allowed to take place. A further review of the files on the impacted databases came to an end on September 24 and showed that they included the following range of protected health information:

  • Names
  • Phone numbers
  • Addresses
  • Emails,
  • Birth dates
  • Billing data 
  • Health information (CPT codes, diagnosis codes, test requisitions and results, test reports and/or medical history information)
  • Health insurance or group plan identification names and numbers
  • Other information provided by individuals or by treating medics

A smaller portion of individuals may have had their driving license number, passport number, Social Security number, financial account number, and/or credit card number accessed.

Notification letters are now being issued to potentially impacted people by Quest Diagnostics. Free credit monitoring and protection services are being made available to impacted clients, as a precautionary step, who will also be protected by a $1,000,000 identity theft insurance policy.

ReproSource said extra security measures have been put in place to protect their databases in the face of ransomware attacks and a range of other cyber threats, including additional monitoring and detection security measures.