A health care provider specializing in the diagnosis and treatment of infertility will pay $495,000 and implement new data security measures to settle legal claims following a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents.
The settlement resolves the state’s investigation into Diamond Institute for Infertility and Menopause, LLC, which is based in Millburn, Essex County.
Diamond operates two practices in New Jersey—in Millburn and Dover—plus one in New York, along with consultation services in Bermuda.
The data breach allowed multiple instances of unauthorized access to Diamond’s network between August 2016 and January 2017, giving at least one intruder access to consumer electronic protected health information (“ePHI”).
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said state Attorney General Andrew J. Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”
“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”
Under state and federal law, health care practices, such as Diamond, that handle sensitive medical and client information are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.
The Consumer Affairs division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule, and the HIPAA security rule when it removed administrative and technological safeguards for protected health information and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.
Specifically, the alleged violations include:
- failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
- failing to implement a mechanism to encrypt ePHI;
- failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
- failing to implement proper procedures for creating, changing, and safeguarding passwords; and
- failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
Diamond disputed the state’s allegations.
In addition to the monetary payment, today’s settlement requires Diamond to implement extensive reforms designed to strengthen its data security system and encryption protocols in an effort to protect the personal and protected health information of clients and prevent future breaches.
Specific information-security measures required under the settlement announced today include:
- developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;
- training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;
- developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and
- implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.
The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.
The settlement with Diamond comes during October’s Cybersecurity Awareness Month, when states across the country highlight the importance of taking proactive steps to enhance security.
Annual reports issued by the State Police show that last year, more than 1.9 million accounts held by New Jersey residents were compromised by data breaches, a slight increase over the 1.8 million compromised accounts reported in 2019. These numbers are more than five times more than the number reported in 2018.