[BreachExchange] New Jersey clinic settles EHR database breach for $495K

[Terrell Byrd]

https://www.beckershospitalreview.com/cybersecurity/new-jersey-clinic-settles-ehr-database-breach-for-495k.html

Millburn, N.J.-based Diamond Institute for Infertility & Menopause has
agreed to pay nearly $500,000 following a 2017 data breach that exposed the
protected health information of more than 14,000 patients, the New Jersey
Attorney General's Office said Oct. 12.

The infertility center in February 2017 discovered that a hacker accessed a
third-party server containing an EHR database. While the database was
encrypted and not exposed, supporting documents containing patients' names,
birth dates, Social Security numbers, lab results and other information may
have been accessible.

The breach affected 14,633 individuals and allowed multiple instances of
unauthorized access to the clinic's network between August 2016 and January
2017, according to the New Jersey attorney general.

The state's consumer affairs division launched an investigation into the
incident, resulting in allegations that the clinic violated HIPAA
regulations as well as the New Jersey Consumer Fraud Act when it removed
administrative and technological safeguards for protected health
information.

In addition to the $495,000 payment, the settlement also requires the
clinic to implement data security system reforms and new encryption
protocols to prevent future breaches, according to the news release from
the attorney general.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211014/84eb8f9e/attachment.html>