fertility petri dish

Fertility Clinic Fails its Patients

A massive data breach at a New Jersey fertility clinic compromised the protected health information of 14,463 individuals. The New Jersey Attorney General investigated and came down hard. After an investigation, the clinic agreed to settle the case and pay $495,000 in civil penalties and investigation costs.

Triple Jeopardy HIPAA Enforcement

Since 2009 state attorneys general have been able to enforce federal HIPAA law as well as their own state privacy laws. The Office for Civil Rights (OCR), the federal office that enforces HIPAA, investigates all breaches that affect 500 or more individuals.

Diamond Institute for Infertility and Menopause, LLC (Diamond) is a New Jersey-based fertility clinic with healthcare practices in New Jersey and New York and consultation services in Bermuda. Between August 2016 and January 2017, an unauthorized cyber thief accessed Diamond’s network multiple times and obtained access to electronic protected health information (ePHI), including Social Security numbers, lab results and ultrasound images.

The New Jersey Division of Consumer Affairs alleged that Diamond enabled the breach by removing administrative and technological safeguards for PHI and ePHI, thereby violating the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules. OCR, by law, is already investigating, or may have finished investigating by now.

Under state privacy and federal HIPAA laws, covered entities such as Diamond are required to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI they handle.

“Inadequate data systems and protocols are every hacker’s dream,” said the Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.

In addition to the settlement payment, Diamond has agreed to the following security measures:

HIPAA Risk Management is the Best Defense

If Diamond had been practicing thorough HIPAA Risk Management it would have avoided the harsh result from the attorney general investigation. Not only was there evidence of a serious breach, but Diamond had (allegedly) disregarded key safeguards intentionally by removing them.

An annual Risk Analysis provides a reminder of the safeguards needed to keep patient information secure, like encryption, logging and monitoring, access controls and password management. This is all basic cybersecurity 101. All of it, and more is in a complete HIPAA Risk Management plan. Analyze risks, take steps to reduce risks, work to improve all year, review again and refresh.

HIPAA compliance is easy step-by-step, once you know the steps.

Read the consent decree.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2022 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free