An investigation conducted by the New Jersey Department of Law and Public Safety Division of Consumer Affairs into a HIPAA compliance data breach at an infertility clinic has been settled, with the clinic operator agreeing to pay a financial penalty of $495,000.
Diamond Institute for Infertility and Menopause, LLC (Diamond) is based in Millburn, NJ, and operates two infertility clinics in the state and one in New York. The company also provides consultancy services in Bermuda. The breach in question occurred between August 2016 and January 2017, when an unauthorized individual was discovered to have remotely accessed its IT infrastructure which contained the protected health information of 14,663 patients, including 11,071 New Jersey residents.
The investigation was conducted to determine whether Diamond was in violation of the New Jersey Consumer Fraud Act (CFA), New Jersey Identity Theft Prevention Act, (ITPA), and/or the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996. The investigation uncovered multiple violations of the CFA and HIPAA Privacy and Security Rules related to inadequate data systems and protocols.
Prior to granting any business access to ePHI, a HIPAA-covered entity must enter into a business associate agreement (BAA) with the vendor. The BAA outlines the responsibilities of the business associate under HIPAA with respect to ePHI. At the time of the breach, Infoaxis, BMedTech, and Igenomix were business associates of Diamond but there was no business associate agreement in place.
HIPAA requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), and there are similar requirements in state laws. Those safeguards were found to be lacking.
Diamond had a service level agreement with Infoaxis, which covered the management of a third-party server and workstations. The agreement also included the management and reporting of audit logs intended to interpret triggers for event alerts. Around March 2014, Diamond changed the service package from “On-site ‘Gold’ Support” to the “Essentials+” agreement. While Diamond claimed the agreement only reduced on-site support time, the investigators determined service levels were reduced, which had left information unprotected.
The investigation also determined encryption had not been used, written procedures for creating, changing, and safeguarding passwords were ignored, and there were authentication failures, which allowed an unauthorized individual to gain access to its systems for five-and-a-half-months.
Diamond denies any wrongdoing but agreed to settle the case. In addition to the financial penalty, Diamond has agreed to implement extensive reforms of its data security systems and encryption protocols to ensure the personal and protected health information of patients is secured.
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said New Jersey Acting Attorney General Andrew J. Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”