New Jersey Acting Attorney General Announces Data Breach Settlement with Fertility Clinic
On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.
Diamond Institute for Infertility and Menopause, LLC (“Diamond”) is a New Jersey-based fertility clinic with health care practices in New Jersey and New York, as well as consultation services in Bermuda. Between August 2016 and January 2017, an unauthorized intruder accessed Diamond’s network multiple times, allowing the intruder to access electronic protected health information (“ePHI”) and patient records, including Social Security numbers, lab results and ultrasound images. The Division of Consumer Affairs alleged that Diamond enabled the breach by removing administrative and technological safeguards for PHI and ePHI, consequently violating the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules.
Diamond denies these allegations, but has agreed to settle the matter by paying a monetary penalty and implementing specific information security measures. The penalty includes $412,300 in civil fines and $82,700 in investigative costs and attorneys’ fees. The agreed upon security measures include:
developing, implementing and regularly updating a comprehensive information security program;
appointing a new HIPAA Privacy and Security Officer to implement, maintain and monitor the information security program;
training employees concerning the proper handling and protection of personal information, PHI and ePHI;
developing and implementing a written incident response and data breach notification plan; and
implementing administrative and technological safeguards for personal information, including encryption, logging and monitoring, access controls, a risk assessment program and password management.
“Inadequate data systems and protocols are every hacker’s dream,” Division of Consumer Affairs acting Director Sean P. Neafsey said in a statement regarding the breach. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”