Diamond Institute for Infertility and Menopause in New Jersey recently started notifying patients of an incident involving their electronic health records server, maintained by an unnamed third party. In a letter to the New Hampshire Attorney General’s Office, Diamond’s external counsel wrote:
On February 27, 2017, Diamond discovered that an unknown individual had gained access to the third- party server containing its electronic health records database. Although the database and patient electronic health records were encrypted and remain secure, certain support documents may have been accessible. Diamond immediately conducted an investigation and it was determined that the support documents may have contained patients’ name, addresses, dates of birth, Social Security numbers, lab results, and sonograms. Law enforcement was notified and Diamond is cooperating with their investigation.
The total number of patients notified was not disclosed in the letter to the state or the notification to patients. Patients were offered one year of AllClear ID services.
I do not think we will see this incident on HHS’s breach tool, largely because I don’t see where the institute is a covered entity under HIPAA. If I’m wrong, perhaps someone can let me know.
Update: So they are covered by HIPAA, it seems, as they reported this incident to HHS as affecting 14,633.