A chain of fertility clinics in northern Illinois has suffered a data breach following an unspecified cyberattack.

The attack struck Fertility Centers of Illinois PLLCn with 79,943 current and former patients potentially having their personal information being stolen. Information accessed includes Social Security and passport numbers, payment card information, medical records, health insurance information, account numbers, user names and passwords.

Personally identifiable information relating to the company’s employees was also accessed. Patients and employees affected have been notified of the breach by mail and have been offered complimentary credit monitoring and identify theft protection services for 12 months.

Attacks on medical providers are a dime a dozen, but this story differs somewhat in the company’s poor practices and extended timeline in reacting.

The “suspicious activity,” which involved a network server and an administrative account, was first detected on Feb. 1., HIPAA Journal reported today, with the company taking action to secure its systems. FCI then hired independent forensic investigators to determine the nature and scope of the security breach.

The scope of the attack and what was stolen was then not confirmed until Aug. 27, some six months later. This is now only making news in 2022 because the company didn’t inform the U.S. Department of Health and Human Services of the breach until Dec. 27.

It’s not clear when FCI informed patients that their information had been breached, but its glacial pace of digging into the incident would suggest that at the very earliest, it was August, or perhaps even December. During that time, the hackers had personal information at hand that they may have already been using for nefarious purposes.

“FCI has stated that they followed reasonable practices to protect their users and that an administrative account was used to obtain the data,” Ben Pick, principal consultant at application security provider nVisium LLC, told SiliconANGLE. “But these higher privileged accounts often have access to widespread data and act as a single point of failure, as evidenced by the large amount of user data exposed.”

Pick added that without knowing the cause of how the administrator’s account was compromised, the best advice is to limit account access based on the need to know. “When these privileged accounts cannot be limited, then strong monitoring must be enforced,” Pick said. “This would alert when anomalous calls are made to indicate when an administrator may be performing an excessive amount of searches and possibly exfiltrating data.”

Photo: Fertility Centers of Illinois