The Lister Fertility Clinic has warned its 1,700 patients of a data breach involving their medical records. The cyber-attack saw confidential patient information compromised and then leaked on the dark web.
Cyber-criminals hacked British-based document management firm Stor-a-file with ransomware. This malware infiltrated the company security and latched onto important documents and drives.
Ransomware typically gains a foothold via email, through installed programs or website links, and can quickly gain access to computer storage systems. After doing so, it encrypts the data so that only the hackers can access the files.
Stor-a-file’s clients include GP practices, NHS hospital trusts, local councils, law firms and accountants.
After stealing information from Stor-a-file, hackers attempted to ransom the data back for £3 million in bitcoin. Though the ransom was not paid. Instead, Stor-a-file restored a backup of the data and removed any programs which may have led to the attack.
While the ransom message from the hackers noted that they “don’t intend to release medical records on the dark web”, the Lister Fertility Clinic warned patients that this may not be true.
The letter to Lister Fertility Clinic patients stated: “We were advised by Stor-a-file that the cyber-gang that accessed their systems made a ransom demand which was not paid and that the gang has released some of the data that they accessed on the dark web.”
Lister Fertility Clinic sent letters to around 1,700 of their patients informing them of the data breach concerning their medical records. These medical records included consent forms, test results, treatment recommendations and fertility treatment.
Lister Fertility Clinic currently has 10 locations around the UK, including London, Dorchester, Oxford, and Jersey.
While the identity of most of the other companies affected is not known, Nuffield Health Leicester Hospital has been revealed as another victim, alongside two abortion clinics run by Marie Stopes and the British Pregnancy Advisory Service (BPAS).
Despite the hackers stating they would not release the records online, information on several women has since been found on the dark web.
These documents include names, dates of birth, phone numbers and scans. Furthermore, the records also note women who have had abortions at the affected clinics.
Commenting on the data breach, Mark Montaldo, a director at CEL Solicitors and experienced data breach solicitor, said: “This is a serious data breach involving hugely sensitive and deeply personal information that will undoubtedly cause significant distress to those affected. Data breaches involving medical records are among the most common data breaches we see. It’s therefore incumbent on organisations within the medical sector to review their own cyber security and that of third-party providers.”
The type of information compromised represents a significant point of distress. Victims may now find that their private health details are listed online for criminal use.
Victims of the data breach are likely able to bring a claim forward for any distress caused by the incident. Due to the severity of the information compromised, this may be a significant amount.