Millburn, N.J.-based Diamond Institute for Infertility & Menopause has agreed to pay nearly $500,000 following a 2017 data breach that exposed the protected health information of more than 14,000 patients, the New Jersey Attorney General's Office said Oct. 12.
The infertility center in February 2017 discovered that a hacker accessed a third-party server containing an EHR database. While the database was encrypted and not exposed, supporting documents containing patients' names, birth dates, Social Security numbers, lab results and other information may have been accessible.
The breach affected 14,633 individuals and allowed multiple instances of unauthorized access to the clinic's network between August 2016 and January 2017, according to the New Jersey attorney general.
The state's consumer affairs division launched an investigation into the incident, resulting in allegations that the clinic violated HIPAA regulations as well as the New Jersey Consumer Fraud Act when it removed administrative and technological safeguards for protected health information.
In addition to the $495,000 payment, the settlement also requires the clinic to implement data security system reforms and new encryption protocols to prevent future breaches, according to the news release from the attorney general.