Fertility Clinic Allegedly Failed to Safeguard Personal Health Information of 15,000 Patients

  • New Jersey Acting AG Andrew Bruck reached a settlement with healthcare provider Diamond Institute for Infertility and Menopause, LLC (“Diamond”) to resolve allegations stemming from a 2016 data breach that compromised the personal health information of nearly 15,000 patients in violation of the New Jersey Consumer Fraud Act, the New Jersey Identity Theft Prevention Act, and the federal Health Insurance Portability and Accountability Act.
  • According to the AG’s office, Diamond allegedly failed to safeguard electronic protected health information (“ePHI”) stored on its network and failed to detect unauthorized access to its network for over five months. Specifically, Diamond allegedly failed to conduct adequate risk assessments of potential vulnerabilities to the safety of ePHI on its network, review and modify security measures as needed, encrypt ePHI, implement proper procedures for passwords, and implement procedures to authenticate persons seeking access to ePHI, among other things.
  • Under the terms of the consent decree, Diamond will pay $412,300 in civil penalties and $82,700 in attorneys’ fees and costs, and must strengthen its data protection protocols, including by developing and implementing a comprehensive written information security (“IS”)program, creating a new corporate officer position responsible for the IS program, training employees on information privacy and security, and implementing personal information safeguards and controls such as encryption, logging and monitoring, and password management, among other things.