Georgia-based Athens Orthopedic Clinic PA will pay $1.5 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve allegations that it violated Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules. Per the resolution agreement, Athens Orthopedic Clinic will also implement a corrective action plan.
In June 2016, an anonymous hacking group known as the “The Dark Overlord” hacked into Athens Orthopedic Clinic’s computer databases. According to the HHS press release, a database of Athens Orthopedic Clinic’s patient records was then posted online for sale. The group demanded a ransom, but Athens Orthopedic Clinic refused to pay. The group was not successfully blocked from Athens Orthopedic Clinic’s system until July 2016.
The data breach impacted the information of 208,557 individuals. According to the HHS press release, the breach exposed protected health information including patients’ names, dates of birth, social security numbers, reasons for visit, social history, medications, test results, medical procedures, health insurance information, and payment history.
In July 2016, Athens Orthopedic Clinic filed a breach report with OCR. OCR’s investigation revealed potential violations of HIPAA rules. The HHS press release states these violations include “failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”
OCR Director Roger Severino commented on the data breach in the HHS press release. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”
OTW has been following this cybersecurity incident. For OTW’s previous coverage of this data breach, see “Can Clinic Data Breach Victims Sue If No Financial Loss?” and “Victims Can Sue Ortho Clinics if Data Hacked.”
