N.J. infertility practice to pay $500K after data breach, state says

An infertility healthcare provider in New Jersey has agreed to pay nearly $500,000 and overhaul its security measures after a data breach compromised the personal information of nearly 15,000 patients, the attorney general’s office said.

Patients of Diamond Institute for Infertility and Menopause, with practices in Millburn, Dover and one in New York, had its electronic personal health information (ePHI) compromised after multiple incidents of unauthorized access to Diamond’s network between August 2016 and January 2017, it said. The company also offers consultation services in Bermuda.

More than 11,000 of the patients are from New Jersey, it said.

“Inadequate data systems and protocols are every hacker’s dream,” Division of Consumer Affairs acting director Sean Neafsey said in a statement. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The $495,000 settlement includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.

Healthcare practices that handle sensitive medical and patient information are required to have safeguards for sensitive information under state and federal law, the attorney general’s office said.

The state alleged that Diamond violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules when it “removed administrative and technological safeguards for protected health information (PHI) and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.”

It said the company failed to conduct risk assessments, encrypt ePHI and establish other security measures.

Diamond did not admit to any wrongdoing. Messages for the company were not immediately returned.

The settlement requires Diamond to implement new security reforms to strengthen its system and add encryption protocols to better protect patient information, the state said.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” Acting Attorney General Andrew Bruck said in a statement. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

Please subscribe now and support the local journalism YOU rely on and trust.

Karin Price Mueller may be reached at KPriceMueller@NJAdvanceMedia.com.

Bariatric Vitamins | bariatricmultivitamin.store | Benefits of Hemp Oil | Berliner Nach Richten |