Cyber Incident Victim: Northern California Fertility Medical Center
Date:
Sep 2022
Location:
United States of America
Summary
Northern California Fertility Medical Center experienced a data breach when an unauthorized party accessed its network and attempted to encrypt files, compromising patients' protected health information including names, ultrasound status details, and cryopreserved tissue records. The organization terminated the unauthorized access, reported the incident to law enforcement, and engaged cybersecurity specialists to investigate, confirming sensitive data exposure. Affected individuals were notified of the breach, which heightened risks of identity theft and fraud due to the unauthorized disclosure of their personal and medical information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Northern California Fertility Medical Center (“NCFMC”) detected a network security incident involving unauthorized access to its systems, prompting an investigation that revealed sensitive patient data exposure. The breach occurred when an unauthorized party infiltrated NCFMC’s network and attempted to encrypt certain files, though the exact intrusion timeline remains unspecified in public disclosures. Upon discovering the incident, NCFMC immediately terminated the unauthorized access, reported the event to law enforcement agencies, and engaged third-party cybersecurity specialists to assist with forensic analysis. The investigation confirmed that attackers accessed files containing protected health information (PHI), including patient names alongside medical status details related to ultrasounds performed at the facility and cryopreserved tissue storage records. No evidence suggested broader electronic health record system compromise beyond these specific files. The Sacramento-based fertility clinic, which became a UC Davis Health affiliate in 2021, completed its review of affected records on September 23, 2022, the same day it filed breach notifications with the California Attorney General’s Office and dispatched individualized data breach letters to impacted patients.
The confirmed compromised data exposed patients to heightened identity theft and fraud risks, with no indication in disclosures that ransom demands or data misuse had occurred post-incident. NCFMC’s notification letters detailed the specific PHI categories involved but did not quantify the number of affected individuals or specify whether Social Security numbers or financial data were accessed. Response measures included coordinated efforts with cybersecurity professionals to secure systems, though the organization did not publicly disclose whether network vulnerabilities were fully remediated or whether multi-factor authentication enhancements were implemented. The breach impacted a healthcare provider offering fertility treatments since 1992, including IVF and egg freezing services, with 40+ employees and $10 million annual revenue. Consequences centered on patient privacy violations involving reproductive health data, creating potential secondary risks beyond standard PHI breaches given the sensitive nature of fertility treatment information. No subsequent lawsuits or regulatory penalties were referenced in the primary source material following the September 2022 disclosures.