Cyber Incident Victim: Diamond Institute for Infertility and Menopause

On February 27, 2017, the Diamond Institute for Infertility and Menopause, a New Jersey-based medical facility, discovered unauthorized access to a third-party server hosting its electronic health records system. An unknown individual breached the server, though the institute confirmed its encrypted patient health records and primary database remained secure. The investigation revealed that certain unencrypted support documents stored on the same server may have been compromised. These documents potentially contained sensitive patient information, including names, addresses, dates of birth, Social Security numbers, lab results, and sonograms. Diamond Institute immediately initiated an internal investigation upon detection and notified law enforcement agencies, with whom they cooperated throughout the process. The institute did not publicly disclose the method of intrusion or whether data was exfiltrated.

The breach impacted 14,633 individuals, as later reported to the U.S. Department of Health and Human Services (HHS), confirming the institute's status as a HIPAA-covered entity. Affected patients received notifications detailing the exposure risks but were not initially informed of the total number involved. Diamond Institute offered all impacted individuals one year of complimentary identity protection services through AllClear ID. No evidence suggested misuse of the exposed data at the time of reporting. The incident highlighted vulnerabilities associated with third-party server management, though the institute did not publicly name the vendor responsible for maintaining the compromised system. Patient records remained protected due to encryption safeguards on the primary database, limiting the breach's scope to auxiliary documents.