A New Jersey infertility clinic has reached a settlement with the state and will pay a $495,000 penalty fee for its violation of the HIPAA and New Jersey laws as it did not implement appropriate cybersecurity action.
Diamond Institute for Infertility and Menopause, LLC (Diamond) in Millburn, NJ operates one healthcare facility in New Jersey, and another one in New York, and gives consultancy services in Bermuda. Delivering those services requires the collection, storage, and use of personal data and protected health information (PHI).
Between August 2016 and January 2017, at least one unauthorized individual got access to Diamond’s network which included the PHI of 14,663 patients, 11,071 of them were residents in New Jersey.
Because Diamond is a HIPAA-covered entity, it needs to apply technical, physical, and administrative security measures to ensure the confidentiality, availability, and integrity of PHI. Diamond is furthermore governed by New Jersey legislation and is likewise needed to employ sensible and sufficient security to protect medical information from unauthorized access.
Diamond Compliance Investigated by Federal and State Laws
The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs had Diamond investigated in relation to a data breach to figure out whether it is compliant with federal and state legislation. The investigation showed that in 2007, Diamond had signed a support agreement with the managed service provider (MSP) Infoaxis Technologies. The contract covered security and IT services in addition to servicing its third-party workstations and server. The service contract included a third-party software program for the administration and documentation of audit logs designed to read triggers in case of alerts.
About March 2014, Diamond cut down its support deal with the MSP, therefore reducing the services given, though Diamond states there was no decrease in services with respect to the two support contracts except the number of hours involved for on-site support assistance.
Before the breach happened, Diamond’s HIPAA Privacy and Security Officer utilized a Remote Desktop Protocol (RDP) service and a VPN to gain access to the Diamond system, however, because the VPN was obstructed from the Bermuda office, the MSP gave a varied way of access that needed opening a port in the firewall to permit RDP access, rather than utilizing the VPN for validation.
From August 28, 2016 to January 14, 2017, an unauthorized person accessed a workstation in the Millburn office on a number of occasions using an international IP address. The unauthorized access was discovered and obstructed on January 14, 2017. At that time, the workstation was open, information on the device had not been encrypted. The intruder consequently possibly accessed patient information including names, birth dates, Social Security numbers, and health record numbers.
A breach investigation likewise showed an intruder got access to Diamond’s third-party server which stored its electronic medical records inside a password-secured SQL server utilizing two breached Diamond user accounts having poor passwords. The investigation showed the use of weak security configurations for failed attempts to log in and password expiry.
Although the EMR information was not breached, the intruder got access to PHI including test data, ultrasound photos, and clinical and post-operative information. Diamond’s inquiry did not confirm how the unauthorized person got access to the network.