Athens Orthopedic Clinic Agrees to Pay $1.5 Million to Settle OCR HIPAA Violation Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled another HIPAA violation case – The 6th case to be resolved with a financial penalty in the past week and the 9th of 2020.

The latest settlement was reached with Athens Orthopedic Clinic, an Athens, GA-based healthcare provider that experienced a data breach in 2016. The clinic was the victim of a cyberattack by a hacking group known as the Dark Overlord, which conducted multiple cyberattacks on the healthcare sector in 2016 and beyond.

Athens Orthopedic Clinic learned of the attack on June 26, 2020 when the clinic was contacted by and told that some of its patient data had been listed for sale by the hackers. An investigation was conducted into the breach which revealed the attackers accessed its systems on June 14, 2016 and stole data from its electronic medical record system. The records of 208,557 patients were stolen in the attack. Those records included names, dates of birth, Social Security numbers, clinical and medical information, and health insurance information. The breach was reported to OCR on July 29, 2016.

OCR investigates all breaches of 500 or more records and assesses whether the breaches were the result of noncompliance with the HIPAA Rules. During the investigation, OCR discovered systemic noncompliance with the HIPAA Rules.

Specifically, Athens Orthopedic Clinic had not conducted an accurate and comprehensive risk analysis to identify potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as is required by the HIPAA Security Rule. Security policies and procedures had not been implemented to reduce risks to ePHI to a reasonable and acceptable level. Between September 30, 2015 and December 15, 2016, appropriate hardware, software, and procedures had not been implemented for recording and analyzing activity on information systems that contained ePHI.

The clinic did not provide HIPAA training to the entire workforce until January 15, 2018, documentation on HIPAA policies and procedures could not be provided prior to August 2016, and prior to August 7, 2016, the clinic had used three vendors but had failed to enter into business associate agreements with those vendors.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

OCR determined that as a consequence of the HIPAA violations, the clinic failed to prevent unauthorized access to the ePHI of 208,557 patients.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

Corrective Action Plan includes Specific HIPAA Training Requirements

In addition to paying a financial penalty of $1,500,000, Athens Orthopedic Clinic must adopt a corrective action plan (CAP) to address all areas of noncompliance and will be closely monitored by OCR for a period of 2 years from the date of the CAP to ensure continued compliance. The CAP requires Athens Orthopedic Clinic to revise multiple policies and procedures in order to comply with the Privacy, Security, and Breach Notification Rules. As the policy changes are “material changes” that will affect the functions of members of the workforce, affected members of the workforce will have to undergo refresher Privacy Rule training, while all members of the workforce will have to undergo refresher Security Rule training.

To ensure Athens Orthopedic Clinic complies with the HIPAA training requirements, OCR has stipulated specific timeframes in which refresher training must be provided – these being within thirty days of the training materials being approved by OCR; or, in the case of new hires, within fourteen days. New hires must not be permitted access to PHI until they have completed the approved HIPAA training. Thereafter, refresher training must be provided at least annually for the duration of the corrective action plan, with Athens Orthopedic Clinic under instructions to review and update the training materials at least annually.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: