Fertility clinic to pay $495,000 to settle data breach investigation

A health care provider specializing in the diagnosis and treatment of infertility will pay $495,000 and implement new data security measures to settle legal claims following a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents.

The settlement resolves the state’s investigation into Diamond Institute for Infertility and Menopause, LLC, which is based in Millburn, Essex County.

Diamond operates two practices in New Jersey—in Millburn and Dover—plus one in New York, along with consultation services in Bermuda.

The data breach allowed multiple instances of unauthorized access to Diamond’s network between August 2016 and January 2017, giving at least one intruder access to consumer electronic protected health information (“ePHI”).

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said state Attorney General Andrew J. Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

Under state and federal law, health care practices, such as Diamond, that handle sensitive medical and client information are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.

The Consumer Affairs division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule, and the HIPAA security rule when it removed administrative and technological safeguards for protected health information and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.

Specifically, the alleged violations include:

Diamond disputed the state’s allegations.

In addition to the monetary payment, today’s settlement requires Diamond to implement extensive reforms designed to strengthen its data security system and encryption protocols in an effort to protect the personal and protected health information of clients and prevent future breaches.

Specific information-security measures required under the settlement announced today include:

The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.

The settlement with Diamond comes during October’s Cybersecurity Awareness Month, when states across the country highlight the importance of taking proactive steps to enhance security.

Annual reports issued by the State Police show that last year, more than 1.9 million accounts held by New Jersey residents were compromised by data breaches, a slight increase over the 1.8 million compromised accounts reported in 2019. These numbers are more than five times more than the number reported in 2018.

Exit mobile version