A massive data breach at a New Jersey fertility clinic compromised the protected health information of 14,463 individuals. The New Jersey Attorney General investigated and came down hard. After an investigation, the clinic agreed to settle the case and pay $495,000 in civil penalties and investigation costs.
Triple Jeopardy HIPAA Enforcement
Since 2009 state attorneys general have been able to enforce federal HIPAA law as well as their own state privacy laws. The Office for Civil Rights (OCR), the federal office that enforces HIPAA, investigates all breaches that affect 500 or more individuals.
Diamond Institute for Infertility and Menopause, LLC (Diamond) is a New Jersey-based fertility clinic with healthcare practices in New Jersey and New York and consultation services in Bermuda. Between August 2016 and January 2017, an unauthorized cyber thief accessed Diamond’s network multiple times and obtained access to electronic protected health information (ePHI), including Social Security numbers, lab results and ultrasound images.
The New Jersey Division of Consumer Affairs alleged that Diamond enabled the breach by removing administrative and technological safeguards for PHI and ePHI, thereby violating the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules. OCR, by law, is already investigating, or may have finished investigating by now.
Under state privacy and federal HIPAA laws, covered entities such as Diamond are required to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI they handle.
“Inadequate data systems and protocols are every hacker’s dream,” said the Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”
The settlement of $495,000 includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.
In addition to the settlement payment, Diamond has agreed to the following security measures:
- developing, implementing and regularly updating a comprehensive information security program;
- appointing a new HIPAA Privacy and Security Officer to implement, maintain and monitor the information security program;
- training employees concerning the proper handling and protection of personal information, PHI and ePHI;
- developing and implementing a written incident response and data breach notification plan; and
- implementing administrative and technological safeguards for personal information, including encryption, logging and monitoring, access controls, a risk assessment program and password management.
HIPAA Risk Management is the Best Defense
If Diamond had been practicing thorough HIPAA Risk Management it would have avoided the harsh result from the attorney general investigation. Not only was there evidence of a serious breach, but Diamond had (allegedly) disregarded key safeguards intentionally by removing them.
An annual Risk Analysis provides a reminder of the safeguards needed to keep patient information secure, like encryption, logging and monitoring, access controls and password management. This is all basic cybersecurity 101. All of it, and more is in a complete HIPAA Risk Management plan. Analyze risks, take steps to reduce risks, work to improve all year, review again and refresh.
HIPAA compliance is easy step-by-step, once you know the steps.
Read the consent decree.