US Fertility Reaches $5.75M Settlement Following Ransomware Attack


April 2, 2024

World map

US Fertility (USF), which provides IT services to more than 200 physicians at multiple fertility clinics, has settled a class action lawsuit for $5.75 million following a 2020 ransomware attack that included the exfiltration of sensitive data for nearly 900,000 people.

The lawsuit accused USF of failing to uphold data security best practices, although USF was not required to admit any culpability for the data breach in the final settlement.

“USF failed to take adequate and reasonable measures to ensure its computer/server systems were protected against unauthorized access and failed to take actions that could have stopped the Data Breach before it occurred,” Health IT Security reported the suit as stating.

“This is shown, in part, by the fact that the hackers were able infiltrate USF’s systems and exfiltrate data for over a month undetected. In fact, the only reason USF detected the hackers’ intrusion at all is because the hackers eventually executed a ransomware scheme that blocked USF’s access to its own system.”

Takeaway: Ransomware attack recovery costs average more than $4 million, and this does not include potential losses like damage to the brand, lost revenue, lost production from downed systems, and other collateral damage, such as intellectual property and regulated data loss.

Then, long after the dust has settled from the attack, victim organizations more often are suffering even more losses because of the exposure of sensitive data.

Ransomware attacks today increasingly involve data exfiltration prior to the encryption of systems. The stolen data is used as leverage to compel the victim to pay the ransom demand with the threat of exposing the data if payment is not made.

These double extortion schemes may also involve the demand for an additional ransom payment to ensure the data is not leaked or sold on the dark web. The exposure of this data in ransomware attacks is more often leading to lawsuits, some reaching class-action status.

Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional liability risk from lawsuits, and as we can see from the USF example, legal liability following a ransomware attack can often exceed the cost of incident response and recovery actions.

There is much focus on the delivery of the ransom payload, but we must remember that this occurs at the end of the attack sequence when the damage to the victim organizations has already occurred.

Organizations are not putting enough emphasis on detecting the earliest stages of the attack, where the threat actors are preparing the environment for delivery of the ransomware payload and exfiltrating data.  

As we see from the USF example, there were several weeks to months of detectable activity on the network prior to the final payload being delivered.

Few would argue that we don’t need regulations to govern the handling of our most sensitive personal information, but given the government seems incapable of protecting organizations from recurring ransomware attacks, the current legal regulatory environment only serves to revictimize the victims.

Recent developments suggest we will see more punitive class action lawsuits, regulatory actions, criminal prosecutions and potentially even jailtime for leadership following successful attacks – especially if sensitive or regulated data was compromised.

Take the recently enacted reporting rule implemented by the Securities and Exchange Commission (SEC) in December which requires publicly traded companies to disclose a “material security event” within four days or face regulatory action.

Forensic investigations are difficult, and they take a lot of time. The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

The USF example shows us that a four-day timeline to accurately report on an incident is unreasonable. Bob Zukis, CEO of Digital Directors Network, penned an interesting assessment of the recently enacted SEC rules recently.

Zukis noted that the SEC requires “a description of <sic> the material aspects of the nature, scope and timing of the incident... As the investigation proceeds, disclosure amendments are to be filed as further material information arises about the incident.”‍

Zukis noted that so far “none of the first disclosures made under the new SEC disclosure rules includes descriptions of the material impacts or reasonably likely material impacts of the incident.”

We must be careful not to confuse disclosing information about a cyberattack while informing investors why an attack should be considered in their investment decisions. Forensic investigations are difficult, and they take time – a lot of time.  

The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported, as the USF case makes clear.

Publicly traded companies are now must either trickle out incomplete information over time as the investigation progresses - or worse, they find themselves facing regulatory actions for failure to adhere to SEC reporting rules that don’t line up with the reality of a post-attack incident response.

Unfortunately, while the C-Level and BoD are increasingly at risk of legal and regulatory actions, it is most likely the CISO or equivalent who traditionally gets thrown under the bus following a successful attack. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.