Millburn-based Clinic Will Pay $495,000 and Implement Additional Data Security Measures
NEWARK – Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs today announced that a healthcare provider focused on the diagnosis and treatment of infertility will pay $495,000 and implement new data security measures following a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents.
The settlement resolves the state’s investigation into Diamond Institute for Infertility and Menopause, LLC (“Diamond”), which is based in Millburn, Essex County. Diamond operates two healthcare practices in New Jersey (in Millburn and Dover) and one in New York, and offers consultation services in Bermuda.
The data breach allowed multiple instances of unauthorized access to Diamond’s network between August 2016 and January 2017, giving at least one intruder access to consumer electronic protected health information (“ePHI”).
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”
“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”
Under state and federal law, healthcare practices, such as Diamond, that handle sensitive medical and client information are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.
The Division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, and the HIPAA Security Rule when it removed administrative and technological safeguards for protected health information (“PHI”) and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.
Specifically, the alleged violations include:
- failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
- failing to implement a mechanism to encrypt ePHI;
- failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
- failing to implement proper procedures for creating, changing, and safeguarding passwords; and
- failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
Diamond disputes the Division’s allegations.
In addition to the monetary payment, today’s settlement requires Diamond to implement extensive reforms designed to strengthen its data security system and encryption protocols in an effort to protect the personal and protected health information of clients and prevent future breaches.
Specific information-security measures required under the settlement announced today include:
- developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;
- training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;
- developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and
- implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.
The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.
The settlement with Diamond comes during October’s Cybersecurity Awareness Month, when states across the country highlight the importance of taking proactive steps to enhance security.
Annual reports issued by the State Police show that last year, more than 1.9 million accounts held by New Jersey residents were compromised by data breaches, a slight increase over the 1.8 million compromised accounts reported in 2019. These numbers are more than five times more than the number reported in 2018.
Deputy Attorney General Cody Valdez and Section Chief Kashif Chand of the Data Privacy & Cybersecurity Section, within the Division of Law’s Affirmative Civil Enforcement Practice Group, represent the State in the Diamond matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.
The mission of the Division of Consumer Affairs, within the Department of Law and Public Safety, is to protect the public from fraud, deceit, misrepresentation and professional misconduct in the sale of goods and services in New Jersey through education, advocacy, regulation and enforcement. The Division pursues its mission through its 51 professional and occupational boards that oversee 720,000 licensees in the state, its Regulated Business section that oversees 60,000 NJ registered businesses, as well as through its Office of Consumer Protection, Bureau of Securities, Charities Registration section, Office of Weights and Measures, and Legalized Games of Chance section.