Sperm donor giant California Cryobank has announced it has suffered a data breach that exposed customers’ personal information.
California Cryobank (CCB) is a sperm donation and cryopreservation firm and one of the US’ top sperm banks. As such, it services all US states and over 30 countries worldwide.
The data breach notification states that the breach occurred on April 20, 2024 and CCB discovered it on October 4, 2024. After an investigation, CCB determined that an unauthorized party gained access to its IT environment and may have accessed and/or acquired files maintained on certain computer systems between April 20, 2024, and April 22, 2024.
The information potentially involved varies by customer but includes names and one or more of the following:
- Driver’s license numbers
- Bank account and routing numbers.
- Social Security Numbers (SSN)
- Health insurance information
CCB is posting letters—along the lines of this California example—to everyone who may be impacted.
It is unclear whether the CCB considers sperm donors as customers so their personal information may or may not have been breached.
Anonymous sperm donations are mostly a thing of the past. Anonymous donation was considered a method deemed to protect the privacy of the donor and shield them from any legal obligations, but online DNA databases have put an end to any guarantee of anonymity. However, untimely disclosure of sperm donor details might pose a significant privacy concern to those who donated in the past anonymously.
The handling, storage, and sharing of protected health information (PHI) within sperm banks falls under the Health Insurance Portability and Accountability Act (HIPAA):
- The Privacy Rule requires sperm banks to implement safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that can be made without patient consent.
- The Security Rule specifically requires sperm banks to secure electronic PHI (ePHI) appropriately against potential risks to confidentiality, integrity, and availability.
- The Breach Notification Rule requires the provision of a notification to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media, in the event of a breach of unsecured PHI.
CCB is offering individuals whose Social Security and/or driver’s license numbers may have been involved in the incident complimentary one-year memberships to credit monitoring services.
For those that receive a notification letter, CCB has set up a dedicated, tollfree call center to answer questions that recipients may have.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
