NJ Infertility Clinic Reaches $495,000 Data Breach Settlement

Rivkin Radler LLP
Contact

Rivkin Radler LLP

The New Jersey Attorney General’s Office announced on October 12 that Diamond Institute for Infertility and Menopause, LLC, based in Millburn, NJ, will pay a $495,000 penalty for allegedly violating HIPAA and state law by failing to implement appropriate cybersecurity measures. The New Jersey Department of Law & Public Safety’s Division of Consumer Affairs investigated Diamond’s compliance after a data breach in which at least one unauthorized person accessed the company’s computer network in 2016-17. The network contained the protected health information (PHI) of 14,663 patients, of whom 11,071 were New Jersey residents.

Diamond operates infertility clinics in Milburn, Dover, NJ, and Goshen, NY, and provides consultancy services in Bermuda. As a covered entity under HIPAA, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. In addition, New Jersey state law requires that reasonable and adequate safeguards be implemented to protect medical data from unauthorized access.

The data breach involved unauthorized access to one of Diamond’s workstations from a foreign IP address, and unauthorized access to the company’s third-party server (containing PHI) which the investigation determined had weak security settings. Before the breach, Diamond had downgraded its support package with a third-party security service provider.

The investigation revealed that Diamond had failed to enter into HIPAA business associate agreements with three outside service providers and failed to comply with 29 provisions of the HIPAA Privacy and Security Rules, including failing to encrypt electronic PHI or to conduct a comprehensive risk assessment. The company was also alleged to have violated the New Jersey Consumer Fraud Act by misrepresenting its HIPAA practices in its privacy and security policy, failing to secure its network leading to a data breach, and unconscionable commercial practices. Diamond disputed many of the claims but, in addition to the fine, agreed to implement numerous measures to improve data security.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP
Contact
more
less

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.