October 20, 2021

NJ Infertility Clinic Reaches $495,000 Data Breach Settlement

Rivkin Radler LLP

+ Follow Contact

Send

Embed

Rivkin Radler LLP

The New Jersey Attorney General’s Office announced on October 12 that Diamond Institute for Infertility and Menopause, LLC, based in Millburn, NJ, will pay a $495,000 penalty for allegedly violating HIPAA and state law by failing to implement appropriate cybersecurity measures. The New Jersey Department of Law & Public Safety’s Division of Consumer Affairs investigated Diamond’s compliance after a data breach in which at least one unauthorized person accessed the company’s computer network in 2016-17. The network contained the protected health information (PHI) of 14,663 patients, of whom 11,071 were New Jersey residents.

Diamond operates infertility clinics in Milburn, Dover, NJ, and Goshen, NY, and provides consultancy services in Bermuda. As a covered entity under HIPAA, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. In addition, New Jersey state law requires that reasonable and adequate safeguards be implemented to protect medical data from unauthorized access.

The data breach involved unauthorized access to one of Diamond’s workstations from a foreign IP address, and unauthorized access to the company’s third-party server (containing PHI) which the investigation determined had weak security settings. Before the breach, Diamond had downgraded its support package with a third-party security service provider.

The investigation revealed that Diamond had failed to enter into HIPAA business associate agreements with three outside service providers and failed to comply with 29 provisions of the HIPAA Privacy and Security Rules, including failing to encrypt electronic PHI or to conduct a comprehensive risk assessment. The company was also alleged to have violated the New Jersey Consumer Fraud Act by misrepresenting its HIPAA practices in its privacy and security policy, failing to secure its network leading to a data breach, and unconscionable commercial practices. Diamond disputed many of the claims but, in addition to the fine, agreed to implement numerous measures to improve data security.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Rivkin Radler LLP

Contact + Follow

Eric Fader

+ Follow

less

Published In:

Cyber Attacks

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

Electronic Medical Records

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Healthcare Facilities

+ Follow

Medical Records

+ Follow

Popular

+ Follow

State Attorneys General

+ Follow

Third-Party Service Provider

+ Follow

Unauthorized Access

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Rivkin Radler LLP on:

NJ Infertility Clinic Reaches $495,000 Data Breach Settlement

Related Posts

Written by:

Published In:

Rivkin Radler LLP on:

"My best business intelligence, in one easy email…"