Russian hackers target IVF clinics across UK used by thousands of couples

A prestigious IVF clinic has confirmed Russian hackers broke into their systems used by thousands of couples across the UK after Metro revealed the huge data breach.

The London Women’s Clinic, which offers IVF, egg freezing and other fertility treatments at 17 centers across the country, was compromised by the ransomware gang Qilin.

A number of NHS patients are among those who use the clinic and may have been at risk of having their private medical data exposed.

The ‘concerning’ data breach is believed to have taken place on October 19, when the Russian group posted about it on its dark web channels.

One former private patient, who used the clinic with her husband for initial investigations, told Metro: ‘It’s horrible to think my personal details could be part of a criminal database, with information it was hard to share even with a doctor potentially becoming public knowledge. Fertility challenges are already hard enough.

‘News that they have been hacked is a concern, as obviously the things you share and discuss in those consultations can be incredibly intimate and upsetting, and not the kind of thing you’d want to see plastered on the dark web.

‘I haven’t had any emails from them to indicate there could have been a problem, so this is the first I’ve heard of it.

‘They used encryption to send confidential messages, so seemed to be taking care to keep personal information protected. Hopefully any data accessed was therefore limited.’

London Women’s Clinic confirmed the breach to Metro a day after the newspaper revealed the attack.

They said they are still investigating what happened with cyber-security experts and assured patients their systems have been secured.

The Human Fertilisation and Embryology Authority (HFEA) and NHS England first confirmed the hack to Metro.

Rachel Cutting, director of compliance and information at the HFEA, said: ‘The clinic has informed the HFEA of the incident in line with its regulatory requirements and is giving us regular updates during the course of their full investigation.

‘We appreciate that this incident may be concerning to patients. Any patients who have questions about the incident should contact the clinic. Patients can also access further support through the clinic’s counselling service.’

Tone Jarvis-Mack, of the Fertility Foundation, called on The London Women’s Clinic to be ‘transparent’ about the nature of the ‘concerning’ data breach.

The fertility charity’s chief executive last night said: ‘The clinic should be transparent. Any company is vulnerable to an attack.

‘That patient data may be leaked out into the public will add more stress at a time when they are going through a stressful situation.

‘Clinics should be ultra secure. We have to go on faith that they are protecting our data.’

Mr Jarvis-Mack estimated that the clinic could hold sensitive personal data for ‘thousands’ of couples they have treated over the years, including many partners being funded through the NHS.

He continued: ‘The London Women’s Clinic holds treatment data, and information on medication tests, STI checks.

‘There are all kinds of tests you would not want public. With that information that would allow them to create the perfect scam. They would know exactly who you are, your partner’s name, your occupation.’

The clinic has since clarified to Metro that their investigations suggest electrical medical records were not accessed. However questions remain how the hackers managed to break into the network in the first place.

A spokesperson from the medical organisation said: ‘London Women’s Clinic has been the subject of a cyber security incident.

‘We wish to reassure our patients that our technical teams took immediate action to shut the incident down, secure our IT systems and begin a thorough investigation with the support of leading cyber-security experts.

‘The incident was quickly contained, and we wish to assure our patients that our systems are secured, and we are operating as normal.

‘We have notified all relevant authorities, including law enforcement, Human Fertilisation and Embryology Authority (HFEA) and Information Commissioner’s Office (ICO) and are co-operating with them on their external investigations.

‘We understand how concerning this will be for our patients. To date, our investigations indicate that our Electronic Medical Records system has not been accessed. However, we continue to assess any wider impact, and we will contact individuals directly as appropriate to provide support and guidance.

‘Any patients with questions should contact us directly.’

An NHS England spokesperson said: ‘We are aware of an incident affecting the private provider London Women’s Clinic and our Cyber Security Operations center has been working with them to offer support and assess any impact.’

The London Women’s Clinic opened in 1985 and pioneered treatments for prospective mothers.

They were the first clinic in the UK to provide sperm donor insemination for lesbian couples.

Qilin, based in Russia, was behind a ransomware attack on NHS hospitals in June which affected blood transfusions and test results.

Ransomware attacks involve hackers encrypting a victim’s files, locking them out of their data, and then demanding a ransom for the decryption key.

Qilin has been known to post stolen data on the dark web when their victims fail to pay a ransom.

It is not known what information has been accessed and whether the London Women’s Clinic has paid any ransom for the data.

London Women’s Clinic has not responded to requests for comment.

Get in touch with our news team by emailing us at webnews@usnewsrank.com.

For more stories like this, check our news page.