Illinois fertility clinic, online pharmacy giant Ravkoo report data breaches

Online pharmacy company Ravkoo and Fertility Centers of Illinois (FCI) have both informed thousands of current and former patients of data breaches involving troves of their sensitive information. 

The HIPAA Journal said 79,943 current and former patients were sent breach notification letters informing them that passport numbers, Social Security numbers, financial account information, payment card information, treatment information, treating physicians, medical billing/claims information, prescription/medication information and Medicare/Medicaid identification information was leaked. 

The breach also involved significantly more patient information related to treatment and health insurance coverage as well as some employee information. 

FCI said it “became aware of suspicious activity on its internal systems” on February 1 and determined that patient information was involved by August. The company did not respond to requests for comment about the delay in informing victims but said in the notice that they are offering one year of free credit monitoring and identity theft protection services.

FCI wasn’t the only healthcare institution dealing with a breach. Internet pharmacy service Ravkoo also notified customers of a data breach involving their information. 

In a letter sent to New Hampshire Attorney General Gordon McDonald, the Florida-based Ravkoo said hackers tried to infiltrate their AWS hosted cloud prescription portal on September 27. The incident exposed the prescription and healthcare information of 105,000 people, including nearly 400 in Maine. 

After hiring a cybersecurity firm, CEO Alpesh Patel said the company was told on October 27 that names, mail addresses, phone numbers, prescriptions and medical information were exposed. 

Breach notification letters were sent out January 3 and the FBI was notified, according to a notice on the Ravkoo website. Victims are being provided with one year of free online identity monitoring service from Kroll Information Assurance. 

In September, the hacker behind the attack on Ravkoo told The Intercept’s infosec director Micah Lee that Ravkoo was “hilariously easy” to hack and that they had access to hundreds of thousands of prescriptions filed with the company since 2020. 

According to what the hacker told The Intercept, Ravkoo’s site had “a hidden admin panel that every user can log in to and view all the data.”

Multiple fertility clinics reported data breaches in 2021, including Quest-owned ReproSource and Georgia-based Reproductive Biology Associates as well as its affiliate My Egg Bank North America. 

Jake Williams, CTO at BreachQuest, explained that it is not uncommon for medical organizations to store patient data outside of their electronic health record system and said it sounds like that’s what happened in the FCI case. 

The theft of administrative accounts and other high privilege accounts give hackers access to widespread data and often act as a single point of failure, according to nVisium’s Ben Pick.