Millburn-based clinic will pay $495,000, implement new data security measures in settlement

MILLBURN, NJ — Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced Oct. 12 that a health care provider focused on the diagnosis and treatment of infertility will pay $495,000 and implement new data security measures following a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. 

The settlement resolves the state’s investigation into Diamond Institute for Infertility and Menopause LLC, which is based in Millburn. Diamond operates two health care practices in New Jersey, one in Millburn and the other in Dover, and one in New York, and offers consultation services in Bermuda.

The data breach allowed multiple instances of unauthorized access to Diamond’s network between August 2016 and January 2017, giving at least one intruder access to consumer electronic protected health information.

“Patients seeking fertility treatment rightly expect their health care providers to protect their privacy,” Bruck said. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

“Inadequate data systems and protocols are every hacker’s dream,” Division of Consumer Affairs acting Director Sean P. Neafsey said. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

Under state and federal law, health care practices, such as Diamond, that handle sensitive medical and client information are required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information.

The division’s investigation resulted in allegations that Diamond violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s privacy and security rules when it removed administrative and technological safeguards for protected health information, resulting in unauthorized access to its network that went undetected for approximately five and a half months. Diamond disputes the division’s allegations of improper security.

The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees. In addition to the monetary payment, this settlement requires Diamond to implement extensive reforms designed to strengthen its data security system and encryption protocols in an effort to protect the personal and protected health information of clients and prevent future breaches.