Ransomware Attack on Conceptions Reproductive Associates of Colorado

by

The Conceptions Reproductive Associates of Colorado fertility clinic recently announced that it suffered a ransomware attack. The threat actor gained unauthorized access to its system and stole the data of about 80,000 present and past patients, including their associates.

The fertility clinic detected the incident in the middle of April 2024 when it affected some of its older computer systems. It immediately implemented incident response procedures and reported the attack to authorities. Conceptions Reproductive Associates started an investigation to find out the type and scope of the unauthorized access. According to the investigation, the ransomware group acquired access to some legacy systems at the beginning of April and extracted data files.

The investigators just completed the file analysis and the fertility clinic mailed personal notifications to all affected individuals who had their present address details on file. The data stolen during the attack differed from person to person and might have involved names combined with at least one of these data elements: address, telephone number, tests requested, test findings, vital signs, physical examination results, and diagnostic photos. A number of individuals might also have had these data exposed: driver’s license number/other IDs issued by the government, Social Security number, debit/credit card number, and/or checking account number. The debit/credit card numbers for many individuals were already expired.

Although the fertility clinic does not know if any stolen data had been misused, it offered free identity theft and credit monitoring protection services to the impacted persons. Conceptions Reproductive Associates already took steps to strengthen security to avoid the same mishaps down the road. The following procedures were implemented: reconfiguring its system infrastructure, applying more complex password requirements, and enhancing remote access security by setting up multi-factor authentication. As covered entities, the practice must update its HIPAA training as well.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]