US Fertility Says Patient Data Was Stolen in a Ransomware Attack (techcrunch.com) 15
U.S. Fertility, one of the largest networks of fertility clinics in the United States, has confirmed it was hit by a ransomware attack and that data was taken. From a report: The company was formed in May as a partnership between Shady Grove Fertility, a fertility clinic with dozens of locations across the U.S. east coast, and Amulet Capital Partners, a private equity firm that invests largely in the healthcare space. As a joint venture, U.S. Fertility now claims 55 locations across the U.S., including California. In a statement, U.S. Fertility said that the hackers "acquired a limited number of files" during the month that they were in its systems, until the ransomware was triggered on September 14. That's a common technique of data-stealing ransomware, which steals data before encrypting the victim's network for ransom. Some ransomware groups publish the stolen files on their websites if their ransom demand isn't paid. U.S. Fertility said some personal information, like names and addresses, were taken in the attack. Some patients also had their Social Security numbers taken. But the company warned that the attack may have involved protected health information.
It's fairly apparent (Score:5, Insightful)
2011 ZD Net (Score:1)
Re: (Score:2)
Oh, gods, I remember that article. I also remember thinking, "That's the worst idea that I've seen floated in the IT world in years."
Re: It's fairly apparent (Score:2)
Agreed. It's one thing to say "criminals stole data", but that shouldn't relieve a company of liability if they left their door unlocked.
Re: (Score:2)
I could leave my business door unlocked and my insurance company would refund me for everything that was lost minus deductable. The next time I get my insurance quote it will be higher because i am a liability. Business liability insurance is no different. It was dirt cheap for them and they let their security wane. Now their next insurance quote will be much much higher and they will need to adapt to that. So what do we want, a slap on the wrist which they currently get (government fines + increased i
Yeah... not gonna happen (Score:2)
Also, realistically, none of this matters. Aside from the Ashley Madison breach none of these have had all that much impact. It means you have to watch your credit card statement, that's about it.
I never understand why people worry so much about their privacy and then ignore stuff like this [slashdot.org] or the fact that a handful of corporations a
Re: (Score:2)
Actually, security can be done there just as well as in the traditional space. The problem is that people do not pay attention to it, do not get qualified (expensive) experts, do not run external pen-tests and security audits, and, and that is the killer, nothing happens to the C-level screw-ups that are responsible. Unless and until personal responsibility and criminal liability for the CEO that fucked this up is established, nothing will chance.
I am not saying a CEO should go to prison and lose his person
It's time to fight this (Score:2)
Re: (Score:2)
Exactly. The CEO is a definite one, for others it depends. But at least the CISO should get a close, hard look as well, and the CIO may also be on the hook. Anybody below that level may have screwed up, bit that is because they were not qualified for their position and that is not their fault and not their responsibility to assure. Also, there is a real question whether the board did take its supervisory role seriously or whether they screwed up as well.
Exactly (Score:2)
Protected? Obviously not.