New Jersey Infertility Practice to Pay $500,000 After Data Breach Compromises Personal Data
Table of Contents
- By David Lukic
- Published: Nov 01, 2021
- Last Updated: Mar 18, 2022
New Jersey’s Acting Attorney General has announced that the Diamond Institute of Infertility reached a settlement with the state to resolve an inquiry into a data breach. The intrusion leaked the personal information of almost 15,000 patients. Diamond Institute is expected to pay a fine of approximately $500,000 and reform existing security measures.
What Happened with the Diamond Institute Breach?
Between August 2016 and January 2017, an intruder gained unauthorized access into Diamond Institute’s network several times. These multiple breaches leaked electronic personal health information (ePHI) of 14,633 patients, including 11,071 residents of New Jersey.
Although their database and electronic health records were encrypted, other health documents stored on the server were not. Failure to encrypt important health documents allowed the intruder access to the health and other private information of patients. The breached data includes names, laboratory tests results, sonograms, and social security numbers.
“Inadequate data systems and protocols are every hacker’s dream,” said Sean Neafsey, the Director of the Division of Consumer Affairs. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose client’s sensitive information and make them vulnerable to identity theft.”
How Did Diamond Institute Respond?
Although Diamond Institute denied all the allegations, they have agreed to resolve the matter by paying the imposed fine. The settlement includes payment of $412,300 in civil fines as well as $82,700 in investigative and legal fees.
In addition to the monetary penalty, they will also implement several agreed-upon security measures.
- A new HIPAA officer will monitor their data security procedures.
- They are required to create a written incident report and data breach notification plan.
- They are expected to write and implement an actionable data security program that is subject to regular review.
- They will train employees on handling and safeguarding ePHI and other health documents.
- They will implement technological data protection that includes encryption, strong password management, access controls, and risk assessment programs.
Why is the Diamond Institute Involved in a Lawsuit?
The lawsuit was inevitable because Diamond Institute violated the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. According to the Attorney General's office, the Diamond Institute contributed to the data breach by removing necessary security safeguards that could have protected their patient's personal information.
According to him, all health care providers must adhere to the federal law that mandates the protection of sensitive health records and patients’ information using every available resource. Under this law, technological security measures (including cybersecurity) must be in place and must be implemented.
If these measures were in place, argued the State, the unauthorized intrusion should never have continued for five months. Additionally, since they were not sure when precisely the breach started, it was clear that their cybersecurity measures must be improved.
How Do HIPPA Laws Affect Data Breaches?
The HIPAA is a federal law that was established to improve data privacy within the healthcare industry. The law mandates businesses or organizations to report a security breach to appropriate authorities within 60 days of discovering the intrusion. Any organization that refuses to make a report within the stipulated time frame will be penalized.
Under this law, the HIPAA Breach Notification Rule also applies. This means every organization that collects, stores, and transmits the health information of patients must inform the authorities as well as the victims whenever there is a breach.
The notification must include:
- A detailed explanation of the data breach.
- A detailed description of what data was compromised.
- Precautionary measures that each victim must take.
- A detailed description of any countermeasure taken by the organization.
- Contact details of those affected.