Between August 28, 2016, and January 14, 2017, the Diamond Institute for Infertility and Menopause, a fertility clinic based in Millburn, New Jersey, suffered repeated unauthorized access to its network by at least one intruder operating from a foreign IP address. The breach exposed the electronic protected health information (ePHI) of 14,663 patients, including 11,071 New Jersey residents. The root cause traced back to the clinic’s managed service provider (MSP). Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) connection over VPN to access the network remotely. However, VPN access was blocked from an office in Bermuda, so the MSP opened a port in the firewall to allow direct RDP access as a workaround. This exposed the RDP service to the public internet, enabling the attacker to gain access to a workstation in the Millburn office on multiple occasions over roughly five months. Compromised data included patient names, dates of birth, Social Security numbers, medical record numbers, and other sensitive health information related to fertility treatments. The breach was reported to HHS and patients were notified in approximately April 2017. The New Jersey Attorney General’s office investigated and found that Diamond Institute had failed to implement adequate cybersecurity safeguards, including risk assessments, access controls, and audit logging, in violation of HIPAA and the New Jersey Consumer Fraud Act. In November 2021, Acting AG Andrew Bruck announced a settlement requiring Diamond Institute to pay $495,000 ($412,300 in civil penalties and $82,700 in investigative costs) and implement a comprehensive corrective action plan including regular risk assessments, encryption of ePHI, multi-factor authentication, and improved vendor management. The case became a notable example of state-level HIPAA enforcement and the risks posed by MSP workarounds that bypass security controls.