DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NJ: Acting AG Bruck Announces Settlement with Fertility Clinic over Cybersecurity Lapses and Data Breach

Posted on October 12, 2021 by Dissent

There’s an update to a 2017 breach affecting patients of Diamond Institute for Infertility and Menopause. At the time, they reported a hack of a third-party server that impacted more than 14,000 patients. Today, the state of New Jersey announced a settlement in their enforcement action against the entity:

NEWARK – Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs today announced that a healthcare provider focused on the diagnosis and treatment of infertility will pay $495,000 and implement new data security measures following a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents.

The settlement resolves the state’s investigation into Diamond Institute for Infertility and Menopause, LLC (“Diamond”), which is based in Millburn, Essex County. Diamond operates two healthcare practices in New Jersey (in Millburn and Dover) and one in New York, and offers consultation services in Bermuda.

The data breach allowed multiple instances of unauthorized access to Diamond’s network between August 2016 and January 2017, giving at least one intruder access to consumer electronic protected health information (“ePHI”).

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

Under state and federal law, healthcare practices, such as Diamond, that handle sensitive medical and client information are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.

The Division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, and the HIPAA Security Rule when it removed administrative and technological safeguards for protected health information (“PHI”) and ePHI, resulting in unauthorized access to its network that went undetected for approximately five and a half months.

Specifically, the alleged violations include:

  • failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • failing to implement a mechanism to encrypt ePHI;
  • failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
  • failing to implement proper procedures for creating, changing, and safeguarding passwords; and
  • failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.

Diamond disputes the Division’s allegations.

In addition to the monetary payment, today’s settlement requires Diamond to implement extensive reforms designed to strengthen its data security system and encryption protocols in an effort to protect the personal and protected health information of clients and prevent future breaches.

Specific information-security measures required under the settlement announced today include:

  • developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;
  • training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;
  • developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and
  • implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.

The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.

The settlement with Diamond comes during October’s Cybersecurity Awareness Month, when states across the country highlight the importance of taking proactive steps to enhance security.

Annual reports issued by the State Police show that last year, more than 1.9 million accounts held by New Jersey residents were compromised by data breaches, a slight increase over the 1.8 million compromised accounts reported in 2019. These numbers are more than five times more than the number reported in 2018.

Deputy Attorney General Cody Valdez and Section Chief Kashif Chand of the Data Privacy & Cybersecurity Section, within the Division of Law’s Affirmative Civil Enforcement Practice Group, represent the State in the Diamond matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.

***

The mission of the Division of Consumer Affairs, within the Department of Law and Public Safety, is to protect the public from fraud, deceit, misrepresentation and professional misconduct in the sale of goods and services in New Jersey through education, advocacy, regulation and enforcement. The Division pursues its mission through its 51 professional and occupational boards that oversee 720,000 licensees in the state, its Regulated Business section that oversees 60,000 NJ registered businesses, as well as through its Office of Consumer Protection, Bureau of Securities, Charities Registration section, Office of Weights and Measures, and Legalized Games of Chance section.

###

Related:  Consent Order

h/t, @fanCRTCProfling

Category: Health DataSubcontractorU.S.

Post navigation

← Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly
How I hacked ALL displays in my high school district to play Rick Astley →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.