December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

New Jersey Acting Attorney General Announces Data Breach Settlement with Fertility Clinic

On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.

Diamond Institute for Infertility and Menopause, LLC (“Diamond”) is a New Jersey-based fertility clinic with health care practices in New Jersey and New York, as well as consultation services in Bermuda. Between August 2016 and January 2017, an unauthorized intruder accessed Diamond’s network multiple times, allowing the intruder to access electronic protected health information (“ePHI”) and patient records, including Social Security numbers, lab results and ultrasound images. The Division of Consumer Affairs alleged that Diamond enabled the breach by removing administrative and technological safeguards for PHI and ePHI, consequently violating the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules.

Diamond denies these allegations, but has agreed to settle the matter by paying a monetary penalty and implementing specific information security measures. The penalty includes $412,300 in civil fines and $82,700 in investigative costs and attorneys’ fees. The agreed upon security measures include:

  • developing, implementing and regularly updating a comprehensive information security program;

  • appointing a new HIPAA Privacy and Security Officer to implement, maintain and monitor the information security program;

  • training employees concerning the proper handling and protection of personal information, PHI and ePHI;

  • developing and implementing a written incident response and data breach notification plan; and

  • implementing administrative and technological safeguards for personal information, including encryption, logging and monitoring, access controls, a risk assessment program and password management.

“Inadequate data systems and protocols are every hacker’s dream,” Division of Consumer Affairs acting Director Sean P. Neafsey said in a statement regarding the breach. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 288
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement