Cyber Incident Victim: Extend Fertility

Extend Fertility, a New York City-based fertility clinic, experienced a ransomware attack initially detected on December 20, 2022. The investigation determined unauthorized actors first accessed the clinic's systems on or around December 15, 2021. Upon discovery, Extend Fertility engaged third-party computer forensics experts to analyze the breach. The attackers successfully encrypted files across the organization's network and servers during the intrusion. While data exfiltration could not be conclusively verified, forensic analysis indicated a high likelihood that files containing protected health information were extracted from the systems. The clinic completed its initial investigation on January 28, 2022, confirming the attack timeline and scope of system compromise.

The incident potentially exposed sensitive data of 10,373 patients through files that included comprehensive personal and medical details. Affected information encompassed full names, genders, home addresses, phone numbers, email addresses, dates of birth, medical histories, diagnoses, treatment details, service dates, lab test results, prescription records, provider names, medical account numbers, health insurance policy details, group plan information, and claim data. Extend Fertility found no evidence of actual or attempted misuse of the compromised information. As a precautionary measure, the clinic offered affected individuals complimentary credit monitoring and identity theft protection services. Internally, Extend Fertility initiated security improvements by collaborating with external cybersecurity consultants to implement enhanced safeguards based on their recommendations. The organization also committed to strengthening its employee cybersecurity training program to reduce future vulnerabilities.