The hack “allowed multiple instances of unauthorized access” to protected health information of patients of the Diamond Institute for Infertility and Menopause, LLC, which operates practices in Millburn, Dover and in Goshen, NY, Acting New Jersey Attorney General Andrew J. Bruck said Tuesday.
“Inadequate data systems and protocols are every hacker’s dream,” state Division of Consumer Affairs Acting Director Sean P. Neafsey said. “Companies that fail to comply with basic security requirements are an easy target.”
Last year, more than 1.9 million accounts held by New Jersey residents were compromised by data breaches, a slight increase over the 1.8 million compromised accounts reported in 2019, according to State Police. Both numbers are more than five times the 2018 total.
State and federal law requires healthcare practices to put safeguards in place to protect sensitive medical and client information.
Diamond, however, removed administrative and technological safeguards that left that information unprotected for 5 ½ months, the DCA charged.
This included not encrypting the data, ignoring proper procedures for creating, changing, and safeguarding passwords, and failing to verify that people seeking access to the information were who they claimed to be, the division said.
In doing so, Essex County-based Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, and the HIPAA Security Rule, state officials charged.
Diamond disputed the allegations while agreeing to the $495,000 settlement -- $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees, Bruck said.
It also requires it to undergo what the attorney general called “extensive reforms designed to strengthen its data security system and encryption protocols” that protect the personal and protected health information of clients and prevent future breaches.
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” Bruck said. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable.”
The settlement “sends the message that such privacy lapses come with significant consequences,” he said.
Deputy Attorney General Cody Valdez and Section Chief Kashif Chand of the Data Privacy & Cybersecurity Section of the state Division of Law’s Affirmative Civil Enforcement Practice Group handled the case for the state.
Aziza Salikhova of the DCA’s Office of Consumer Protection conducted the investigation.
Click here to follow Daily Voice Lower Merion-Narberth and receive free news updates.