Diamond Institute for Infertility and Menopause reached a settlement with the New Jersey acting attorney general and the state’s Division of Consumer Affairs for $495,000 to resolve an investigation into the fertility clinic’s cybersecurity practices following a health care data breach reported in 2017.Diamond Institute operates three health care practices in New Jersey and New York and offers consultation services in Bermuda.The settlement stems from an electronic health records hack first reported by the clinic in April 2017. A threat actor gained access to the EHR for a five-month period between August 2016 and January 2017, but the intrusion was not detected until a month later. The notice also explained the clinic was unsure of when access to the database initially began.The state’s investigation stemmed from the circumstances surrounding the breach: the database and EHR were encrypted by Diamond Institute but not the surrounding documents stored on the hacked server. In failing to encrypt, the attacker potentially gained access to certain patient-related data, including names, contacts, Social Security numbers, lab tests, and sonograms. Approximately 14,633 patients were impacted by the incident, overall.“Patients seeking fertility treatment rightly expect their health care providers to protect their privacy,” said Acting Attorney General Andrew Bruck, in a statement. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”Under the Health Insurance Portability and Accountability Act, and state and federal regulations, Diamond Institute is required to implement administrative, physical, and technical safeguards to protect patient and consumer data. The investigation was launched into the clinic’s practices, after allegations Diamond Institute violated the New Jersey Consumer Fraud Act and HIPAA.The allegations included Diamond Institute’s decision to remove administrative and technical controls for protected health information, which led to the network exploit and the clinic’s failure to detect the intrusion for a number of months.Diamond Institute was also accused of a host of security shortcomings, such as failing to conduct an adequate or thorough risk assessment of risks posed to its PHI, not implementing an encryption mechanism for electronic PHI, failing to review or modify security measures as needed, and not implementing effective password management policies, among other claims.The provider continues to dispute these claims.
Industry Regulations, Risk Assessments/Management, Breach
Fertility clinic reaches $495K settlement over lax cybersecurity, 2017 data breach

Diamond Institute for Infertility and Menopause settled with New Jersey officials for $495,000 to resolve an investigation of a 2017 health care data breach. (
"File:Viljakuskliinik Fertility Clinic Nordic.jpg"
by
Merlilindberg
is licensed under
CC BY-SA 4.0
)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds