The New Jersey Attorney General’s Office announced on October 12 that Diamond Institute for Infertility and Menopause, LLC, based in Millburn, NJ, will pay a $495,000 penalty for allegedly violating HIPAA and state law by failing to implement appropriate cybersecurity measures. The New Jersey Department of Law & Public Safety’s Division of Consumer Affairs investigated Diamond’s compliance after a data breach in which at least one unauthorized person accessed the company’s computer network in 2016-17. The network contained the protected health information (PHI) of 14,663 patients, of whom 11,071 were New Jersey residents.
Diamond operates infertility clinics in Milburn, Dover, NJ, and Goshen, NY, and provides consultancy services in Bermuda. As a covered entity under HIPAA, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. In addition, New Jersey state law requires that reasonable and adequate safeguards be implemented to protect medical data from unauthorized access.
The data breach involved unauthorized access to one of Diamond’s workstations from a foreign IP address, and unauthorized access to the company’s third-party server (containing PHI) which the investigation determined had weak security settings. Before the breach, Diamond had downgraded its support package with a third-party security service provider.
The investigation revealed that Diamond had failed to enter into HIPAA business associate agreements with three outside service providers and failed to comply with 29 provisions of the HIPAA Privacy and Security Rules, including failing to encrypt electronic PHI or to conduct a comprehensive risk assessment. The company was also alleged to have violated the New Jersey Consumer Fraud Act by misrepresenting its HIPAA practices in its privacy and security policy, failing to secure its network leading to a data breach, and unconscionable commercial practices. Diamond disputed many of the claims but, in addition to the fine, agreed to implement numerous measures to improve data security.