Diamond Institute for Infertility and Menopause reached a settlement with the New Jersey acting attorney general and the state’s Division of Consumer Affairs for $495,000 to resolve an investigation into the fertility clinic’s cybersecurity practices following a health care data breach reported in 2017.
Diamond Institute operates three health care practices in New Jersey and New York and offers consultation services in Bermuda.
The settlement stems from an electronic health records hack first reported by the clinic in April 2017. A threat actor gained access to the EHR for a five-month period between August 2016 and January 2017, but the intrusion was not detected until a month later. The notice also explained the clinic was unsure of when access to the database initially began.
The state’s investigation stemmed from the circumstances surrounding the breach: the database and EHR were encrypted by Diamond Institute but not the surrounding documents stored on the hacked server.
In failing to encrypt, the attacker potentially gained access to certain patient-related data, including names, contacts, Social Security numbers, lab tests, and sonograms. Approximately 14,633 patients were impacted by the incident, overall.
“Patients seeking fertility treatment rightly expect their health care providers to protect their privacy,” said Acting Attorney General Andrew Bruck, in a statement. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”
Under the Health Insurance Portability and Accountability Act, and state and federal regulations, Diamond Institute is required to implement administrative, physical, and technical safeguards to protect patient and consumer data. The investigation was launched into the clinic’s practices, after allegations Diamond Institute violated the New Jersey Consumer Fraud Act and HIPAA.
The allegations included Diamond Institute’s decision to remove administrative and technical controls for protected health information, which led to the network exploit and the clinic’s failure to detect the intrusion for a number of months.
Diamond Institute was also accused of a host of security shortcomings, such as failing to conduct an adequate or thorough risk assessment of risks posed to its PHI, not implementing an encryption mechanism for electronic PHI, failing to review or modify security measures as needed, and not implementing effective password management policies, among other claims.
The provider continues to dispute these claims.
"Extensive reforms" ordered for data security system and encryption protocols
The consent order shows Diamond Institute entered into a managed services agreement with a third-party vendor in 2007 to maintain its third-party and workstations, as well as its third-party software for managing and reporting audit logs meant to trigger event alerts.
Seven years later, the clinic downgraded its contract with the vendor, losing some key security services.
The investigation concluded that the breach stemmed from changes made to its remote access platform for its Bermuda consultations, switching from a virtual private network to a remote desktop protocol. The hacker gained access to the provider's network through this vulnerable channel “a significant number of times” from foreign IPs.
An attacker also exploited another two access points, which provided access to the clinic’s electronic medical record (EMR). The investigation determined this was caused by weak security settings for failed login attempts and the use of weak passwords.
The investigation also determined Diamond Institute didn’t encrypt any of the ePHI stored on the third-party server. Under HIPAA, there is no requirement for encryption of ePHI. It's considered "an addressable implementation specification." Thus, it's needed when a risk assessment determines encryption is a reasonable safeguard to ensure ePHI security.
If the assessment finds encryption is not appropriate, the provider must document that determination and implement an equivalent security measure or document the rationale for not implementing encryption or an equivalent, alternative measure.
According to the consent order, “while the EMR data stored within the password protected Microsoft SQL database was not affected, the intruder was capable of accessing unprotected patient documents, which included patient lab results, ultrasound images and reports, clinical notes, and post-operative notes.”
As a result of the investigation’s findings, Diamond Institute is required to apply “extensive reforms” to its data security system and encryption protocols to ensure the security of its ePHI.
The provider must appoint a new HIPAA privacy and security officer with relevant expertise to manage the required comprehensive information security program Diamond Institute must develop and implement to keep pace with both technology changes and security threats.
Relevant workforce must be trained on these privacy and security policies, as well as proper handling and protecting of personal information, PHI and ePHI. Diamond Institute must also develop and implement a written incident response and breach notification plan to prepare and respond to security incidents.
Its personal information controls and safeguards must also include encryption, logging and monitoring, access controls, password management, and a risk assessment program.
The $495,000 settlement includes $412,300 in civil penalties and $82,700 investigation fees. The remaining funds will pay for attorneys’ fees.
The settlement and security failures should serve as a reminder for other health care delivery organizations about the baseline requirements expected by regulatory agencies, even when HIPAA may not require it. As recently noted, HIPAA is a baseline security model, where NIST is the ideal standard.
“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey, in a statement. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft."