Hack leaves fertility clinic medical data at risk

Data from a private fertility clinic was put at risk after a ransomware attack hit a document management firm.

The Lister Fertility Clinic said the firm, which it used for scanning medical records, had been "hacked" by a"cyber-gang", in a letter sent to about 1,700 patients.

Stor-a-file Limited said in total 13 organisations had been affected, of which six are healthcare-related.

It said "medical information having been accessed cannot be ruled out".

It added that it had informed the police and the Information Commissioner's Office.

"From our investigations the incident is limited to the small number of records we hold electronically," the firm said.

The Lister Fertility Clinic, which treats around 2,000 patients each year, told the BBC: "We are deeply sorry that this happened, and we are in the process of contacting those affected to provide more information and to offer any support they may need."

In a letter to patients seen by the BBC, the clinic said it's patient medical records were on the Stor-a-file IT system that was affected by the attack.

The Clinic said its medical records included: consent forms, medical history and test results, recommendations for treatment, and fertility treatment records. They did not include credit or debit card details.

In the letter, the Lister Clinic said: "We were advised by Stor-a-file that the cyber-gang that accessed their systems made a ransom demand which was not paid, and that the gang has released some of the data that they accessed on the dark web."

The clinic said no data belonging to Lister patients had been released.

According to the letter, Stor-a-file was told by the cyber-gang that "they don't intend to release medical records on the dark web" but the clinic told patients it could not guarantee this wouldn't happen.

"The hackers could also sell the medical records to a third party." it wrote. "We understand that credit card details and identity documents are easier to sell and make money from but we cannot rule out the possibility of the gang trying to sell your medical records. We are continuing to monitor the dark web for any information about our patients".

The clinic said it had instructed lawyers to terminate its contract with the document company, and to return or delete any data it holds.

Stor-a-file, which has its headquarters in Leicester said, it took "cyber-security extremely seriously", adding: "We have now removed all third party software from our secure system to prevent any similar issues in the future."

A spokesperson told the BBC there had been no communication with the hackers and no ransom had been paid.

The Register reported that the method, external used in the attack was popular with the Cl0p ransomware gang.

In June, six people alleged to be linked to the notorious gang, were arrested by Ukranian police.

The same attack also affected the Nuffield Health Leicester Hospital, Stor-a-file confirmed.

The independent sector hospital said that although data was taken after an attack on "a third-party document management services supplier", it could confirm that no "medical scans, images, diagnostic, payment card or contact information about Nuffield Health patients have been published online".

The hospital did not name the "third-party document services supplier".

Stor-a-file did not reveal the identity of the 11 other organisations affected, but said all had been contacted.

The firm said: "The Information Commissioner's Office (ICO) has been notified, as have the police. Over the past few weeks, we have been supported by the Leicestershire Cyber Crime Unit and we have been liaising with the ICO."

Although on its website the company says it works with a number of NHS trusts, it denied that any data from the health service had been affected.

The ICO told the BBC it was "making enquiries".