The Fertility Centers of Illinois (FCI) has notified nearly 80,000 current and former patients that their information may have been compromised. 

FCI engaged independent forensic investigators to conduct an investigation after becoming aware of an intrusion on its internal systems on February 1, 2021. The investigation revealed that an unauthorized third party had gained access to several FCI’s administrative files and folders containing certain data. Due to the security systems already in place, the investigation indicated that no EMR (electronic medical records) systems were accessed or otherwise compromised due to this incident.

On August 27, 2021, FCI determined that information related to certain FCI patients was included in the set of files accessed by the unauthorized third party, but there wasn’t any actual or attempted misuse of patient information as a result of this incident.

The impacted files contained personal information including the names of some patients, employer assigned identification numbers, passport numbers, Social Security numbers, financial account information, payment card information, treatment information, diagnosis, treating/referring physicians, medical record number, medical billing/claims information, prescription/medication information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, ill health/retirement information, master patient index, occupational-health related information, other medical benefits and entitlements information, other medical identification numbers, pat keys/reason for absence, sickness certificate, usernames and passwords with PINs or account login information, and medical facilities associated with patient information.

Upon learning of the incident, FCI immediately eliminated unauthorized access and brought in independent forensic investigators to investigate and remediate the matter. Since the incident, additional security measures have been taken to further secure access to data, individual accounts, and equipment, including the implementation of enterprise identity verification software. Additionally, all FCI employees have received enhanced training on security practices.

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says, “It’s not uncommon for medical organizations to store patient data outside of their electronic health record (EHR) system, and it sounds like that’s what happened here. As the article notes, the EMR was not compromised due to unspecified security measures. However, files (presumably on some network share) were accessed by threat actors. It wouldn’t surprise me to learn that the EMR enforces MFA or doesn’t use domain authentication. Organizations should take inventory of where they may have regulated data that may fall outside of normal monitoring and audit controls. Those who don’t perform regular data inventory searches almost certainly have regulated data in their file shares – a location where it is just one phishing email away from compromise.”

“Although the source of the compromise is not known at this time, roughly 80,000 current and former patients’ data from the Fertility Centers of Illinois (FCI) were exposed. FCI has stated that they followed reasonable practices to protect their users and that an administrative account was used to obtain the data. These higher privileged accounts often have access to widespread data and act as a single point of failure, as evidenced by the large amount of user data exposed,” says Ben Pick, Principal Consultant at nVisium, a Falls Church, Virginia-based application security provider. “Without knowing the cause of the administrator’s account being compromised, the best advice is to limit their access based on ‘need to know.’ When these privileged accounts cannot be limited, then strong monitoring must be enforced. This would alert when anomalous calls are made to indicate when an administrator may be performing an excessive amount of searches and possibly exfiltrating data.”