An investigation by the state of New Jersey into a cyberattack on a fertility clinic has uncovered multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules and state laws. Diamond Institute for Infertility and Menopause, LLC has agreed to settle the case and will pay a financial penalty of $495,000.
Diamond Institute operates two clinics in Millburn and Dover in New Jersey, one in Goshen, New York, and provides consultancy services in Bermuda. On or around January 14, 2017, Diamond Institute discovered an unauthorized individual had gained access to its network. The investigation confirmed the unauthorized individual first accessed the network on August 28, 2016, with remote access terminated on January 14, 2017.
A review of the attack confirmed parts of the network that were compromised contained the protected health information of 14,633 individuals. Access was also gained to a third-party server that housed electronic medical records. Diamond Institute publicly announced the breach on April 28, 2017.
Diamond Institute said two user accounts were used in the attack, which at the time had weak passwords. There were also weak security controls to block accounts after multiple failed login attempts; however, the investigation did not determine how access was gained.
An investigation into the attack was initiated by the New Jersey Division of Consumer Affairs, Office of Consumer Protection to determine whether state and federal laws had been violated. The investigation uncovered multiple violations of the New Jersey Consumer Fraud Act (CFA) and HIPAA.
While the electronic medical record system on the third-party server was password-protected and not breached, encryption had not been put in place on the server which exposed documents that included patient data. Diamond Institute had not entered into business associate agreements with three companies prior to providing access to PHI, including the managed service provider Infoaxis.
Infoaxis was a business associate of Diamond Institute and managed the third-party server and monitored access logs to identify potential cyberattacks. Diamond Institute had downgraded the service agreement which reduced administrative and technical safeguards. While Diamond Institute maintains the changed agreement only reduced on-site service hours, the state investigation determined access logs were not being monitored, which meant the attacker was able to access the network undetected for five and a half months.
A slew of HIPAA violations was discovered including a risk assessment failure, failure to review and modify security measures, failure to protect against reasonably anticipated threats or hazards to security or integrity of ePHI, failure to reduce risks to a low and acceptable level, failure to regularly review access logs, failure to determine whether access to ePHI was appropriate for employees, failure to comply with the minimum necessary standard, password failures, backup failures, failure to track individuals with a unique username, authentication failures, a lack of encryption, and missing business associate agreements.
Diamond Institute disagreed with the claims made by the state but chose to settle the case. In addition to paying $412,300 in civil penalties and $82,700 investigative costs, Diamond Institute is required to implement a comprehensive plan to improve data security to prevent future data breaches.
“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”