Athens Orthopedic Clinic Agrees to Pay $1.5 Million to Settle OCR HIPAA Violation Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled another HIPAA violation case – The 6th case to be resolved with a financial penalty in the past week and the 9th of 2020.

The latest settlement was reached with Athens Orthopedic Clinic, an Athens, GA-based healthcare provider that experienced a data breach in 2016. The clinic was the victim of a cyberattack by a hacking group known as the Dark Overlord, which conducted multiple cyberattacks on the healthcare sector in 2016 and beyond.

Athens Orthopedic Clinic learned of the attack on June 26, 2020 when the clinic was contacted by Databreaches.net and told that some of its patient data had been listed for sale by the hackers. An investigation was conducted into the breach which revealed the attackers accessed its systems on June 14, 2016 and stole data from its electronic medical record system. The records of 208,557 patients were stolen in the attack. Those records included names, dates of birth, Social Security numbers, clinical and medical information, and health insurance information. The breach was reported to OCR on July 29, 2016.

OCR investigates all breaches of 500 or more records and assesses whether the breaches were the result of noncompliance with the HIPAA Rules. During the investigation, OCR discovered systemic noncompliance with the HIPAA Rules.

Specifically, Athens Orthopedic Clinic had not conducted an accurate and comprehensive risk analysis to identify potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as is required by the HIPAA Security Rule. Security policies and procedures had not been implemented to reduce risks to ePHI to a reasonable and acceptable level. Between September 30, 2015 and December 15, 2016, appropriate hardware, software, and procedures had not been implemented for recording and analyzing activity on information systems that contained ePHI.

The clinic did not provide HIPAA training to the entire workforce until January 15, 2018, documentation on HIPAA policies and procedures could not be provided prior to August 2016, and prior to August 7, 2016, the clinic had used three vendors but had failed to enter into business associate agreements with those vendors.

OCR determined that as a consequence of the HIPAA violations, the clinic failed to prevent unauthorized access to the ePHI of 208,557 patients.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

In addition to paying the financial penalty, Athens Orthopedic Clinic must adopt a corrective action plan to address all areas of noncompliance and will be closely monitored by OCR for a period of 2 years from the date of the CAP to ensure continued compliance.