An investigation of potential violations of the New Jersey Consumer Fraud Act (CFA), New Jersey Identity Theft Prevention Act (ITFA), and the Health Insurance Portability and Accountability (HIPAA) Act has resulted in a financial penalty for the New Jersey infertility clinic, Diamond Institute for Infertility and Menopause, LLC (Diamond).
The New Jersey Division of Consumer Affairs, Office of Consumer Protection (DCA) launched an investigation of Diamond after being notified of a data breach that was publicly announced by Diamond on April 28, 2017. Unauthorized individuals had gained access to its network, which contained the protected health information of 14,633 individuals. Diamond’s investigation revealed parts of its systems were accessed by at least one unauthorized individual between August 28, 2016, and January 14, 2017.
Diamond, which operates infertility clinics in New Jersey, New York, and provides consultancy services in Bermuda, is required by HIPAA and state laws to implement appropriate technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of the personal and medical data of its patients.
The investigation revealed Diamond was using a managed service provider to provide monitoring services and technical safeguards, with the services including the management and reporting of audit logs to identify potential intrusions. In March 2014, the service agreement was changed by Diamond to a less comprehensive package and some of the services and safeguards were no longer provided.
Before the breach occurred, Diamond’s HIPAA Privacy and Security Officer used an RDP connection with a Virtual Private Network (VPN) to remotely access Diamond’s network, but since the VPN was blocked from the Bermuda office, the managed service provider opened a port in the firewall to allow RDP access without using the VPN.
While Diamond’s investigation did not confirm how access to its network was gained, between August 2016 and January 2017, on multiple occasions an unauthorized individual accessed a computer in its New Jersey office. An unauthorized individual also gained access to a third-party server hosting its electronic health record system. While EHR data was not affected, documents on the server contained protected health information and were potentially accessed.
The PHI potentially compromised included names, dates of birth, Social Security numbers, medical record numbers, test results, ultrasound images, clinical notes, and post-operative notes.
DCA Investigation Uncovered Slew of HIPAA Violations
The DCA investigation uncovered a slew of HIPAA violations, including the failure to conduct an accurate and thorough risk assessment of vulnerabilities to ePHI, the failure to implement encryption, the failure to review and modify security measures to continue reasonable and appropriate protection of ePHI, the failure to implement procedures for creating, changing, and safeguarding passwords, insufficient procedures for verifying the identity of individuals attempting to access ePHI, and the failure to enter into business associates with the managed service provider and two other companies prior to giving them with access to ePHI.
The removal of administrative and technical safeguards meant hackers were able to access systems containing the ePHI of more than 14,000 individuals over a period of 5½ months.
In total, the investigation identified violations of 29 provisions of the HIPAA Privacy and Security Rules and violations of the CFA, including misrepresenting HIPAA practices in its security policy and privacy policy, failing to ensure the security of its network, and unconscionable commercial practices. Diamond denied the allegations but agreed to the terms of the consent order.
Under the terms of the consent order, Diamond was ordered to pay a financial penalty of $495,000, consisting of $412,300 in civil penalties and $82,700 in investigation fees. In addition, Diamond has agreed to an overhaul of its cybersecurity practices, which includes “extensive reforms designed to strengthen its data security system and encryption protocols.”
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Andrew J. Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”