Reproductive Biology Associates, LLC, (“RBA”) together with its affiliate My Egg Bank North America, LLC (“MEB”) issue this statement concerning an unauthorized disclosure of protected health information affecting approximately 38,000 patients.
We first became aware of a potential data incident on April 16, 2021 when we discovered that a file server containing embryology data was encrypted and therefore inaccessible. We quickly determined that this was the result of a ransomware attack and shut down the affected server, thus terminating the actor’s access, within the same business day. Based on our investigation, we believe the actor first gained access to our system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021. In the course of our ongoing investigation of the incident, on June 7, 2021 we determined the individuals whose personal information was affected. Access to the encrypted files was regained, and we obtained confirmation from the actor that all exposed data was deleted and is no longer in its possession. In an abundance of caution, we conducted supplemental web searches for the potential presence of the exposed information, and at this time are not aware of any resultant exposure.
We are conducting a thorough investigation to determine what personal information might have been impacted. Impacted personal information may include the following:
- Full Name
- Social Security Number
- Laboratory Results
- Information relating to the handling of human tissue
We are continuing to conduct appropriate monitoring to detect and respond to any misuse or misappropriation of the potentially exposed data.
We regret that this incident occurred and take the security of our information very seriously. As a result of this incident, we have initiated an investigation through a leading professional IT services firm to conduct interviews and analyze forensic data related to the incident. Specifically, we have deployed device tracking and monitoring to help contain and investigate the scope of the incident, as well as performed forensic analyses to understand the scope of the incident.
We have also applied additional internal controls and have provided additional cybersecurity training to our staff to prevent this type of incident from occurring in the future. These controls include working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems, updating, patching, and in some cases replacing infrastructure to the latest versions, deploying password resets to appropriate users, rebuilding impacted systems, and deploying advanced antivirus and malware protection.
We are also very aware of the concern an incident such as this can create. Accordingly, we are offering affected individuals monitoring service free of charge. We urge affected individuals to notify their bank in the event that anyone tries to access accounts fraudulently, and to remain vigilant by closely reviewing account statements and credit reports. In the instance of any suspicious activity on an account, affected individuals should promptly notify the financial institution or company with which the account is maintained and report any fraudulent activity or suspected incidence of identity theft to proper law enforcement authorities.
To the extent you feel that your personal information may have been affected by this incident, or should you have further questions or concerns, we can be reached by mail at 1100 Johnson Ferry Rd NE #200, Atlanta, GA 30342, or by phone at (855) 722-8523.
Matthew K. Maruca
6750 West Loop South, Suite 395
Bellaire, Texas 77401