Athens Orthopedic Clinic will pay $1.5 million to the U.S. Department Health and Human Services' Office for Civil Rights after a 2016 data breach by hackers, according to an article from Health IT Security. The OCR, which is housed under the U.S. Department of Health and Human Services, audited the clinic after the hacking and revealed “systemic noncompliance with the HIPAA rule.”
The breach was caused by the hacking group “thedarkoverlord,” which in 2016 hacked into multiple health care systems to steal patient data to sell on the dark web or use to extort providers. The group stole the data of more than 655,000 patients before the end of its hacking campaign, according to the article. One member of the group was indicted in 2019.
In June 2016, AOC was notified that some of their patient records were posted online for sale. One of the hackers called the clinic two days later and demanded payment in exchange for the records, according to the article.
The group used stolen third-party credentials to access AOC’s medical records system, which includes patients’ Social Security numbers, according to the article. The group had access to the clinic’s records for more than a month.
The hackers posted the stolen data online, and three AOC patients sued the clinic in August 2016. The case was initially dismissed but will be heard at the Athens-Clarke County Superior Court after the Georgia Supreme Court overruled the dismissal in January.
The OCR audit of the clinic revealed a range of noncompliance with HIPAA, the Health Insurance Portability and Accountability Act, which protects patient information from being disclosed with the patient’s consent or knowledge.
AOC did not maintain HIPAA policies and procedures or secure business associate agreements until 2017, and it did not provide privacy training to workers until 2018, the audit found. The OCR also found the clinic did not follow HIPAA requirements for its electronic health records, according to the article.
In addition to the $1.5 million fine, AOC entered into a corrective action plan with OCR. The clinic must review all relationships with vendors and third-party service providers. The clinic will also conduct a security risk analysis of its electronic system vulnerabilities.
AOC must “review and revise its policies and procedures to comply with HIPAA, with ‘particular revisions’ to its technical access controls for all network and server equipment, systems, and software applications to prevent impermissible access to ePHI,” according to the article.