HIPAA Fine Violation Spotlight

HIPAA Fines Charged For Security and Privacy Rule Violation

In September, the Office for Civil Rights reached a settlement with Athens Orthopedic Clinic for $1.5 million over a 2016 data breach caused by the notorious hacking group known as “thedarkoverlord” (TDO). The OCR audit into the security incident revealed systemic noncompliance with the HIPAA rule.

A journalist first notified Athens Orthopedic that some of their patient records may be posted online for sale on June 26, 2016. Two days later, TDO contacted the clinic and demanded payment in order for the complete patient records to be returned.

Athens Orthopedic’s investigation revealed TDO leveraged credentials stolen from a third-party vendor on June 14, which gave them access to its electronic medical records system and a trove of sensitive patient health information, including Social Security numbers.

Although Athens Orthopedic terminated those compromised credentials, TDO had access to its EHR for more than a month until July 16, 2016.

The hacker then posted the stolen data online and on the dark web, after failing to extort the provider. Patients soon filed a lawsuit against Athens Orthopedic arguing the provider was negligent, breached implied contract, and “unjust enrichment.” A judge recently revived the case after an initial dismissal.

On July 26, 2016, Athens Orthopedic reported the breach to OCR, which then launched an audit. The OCR investigation revealed a range of longstanding, systemic noncompliance with the HIPAA Privacy and Security Rule, which included failing to conduct a risk analysis, implement risk management and audit controls, and the requirement to implement sufficient security measures to reasonably reduce risks and vulnerabilities.

OCR also found the clinic did not maintain HIPAA policies and procedures, nor secure business associate agreements with multiple business associates until August 7, 2017. Athens Orthopedic also failed to provide HIPAA Privacy Rule training to workforce members until January 15, 2018.

The investigation also found the clinic did not follow the HIPAA requirement to implement sufficient hardware, software, and or procedural mechanisms for recording and examining activity in information systems that contain or use ePHI from September 30, 2015 to December 15, 2016.

“Hacking is the number one source of large health care data breaches,” OCR Director Roger Severino, said in a statement. “Healthcare providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers.”

The Athens Orthopedic settlement is just the fourth breach-related settlement this year, as OCR laxed enforcement amid the COVID-19 pandemic: LifeSpan Health System ($1.04 million), Agape Health ($25,000), and Steven Porter, MD in Ogden, Utah ($100,000).