Georgia clinic pays $1.5 million to settle potential HIPAA-compliance violations after hacking

Athens, Ga. — Athens Orthopedic Clinic will pay $1.5 million to the Office for Civil Rights and adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules, according to an OCR news release, after a hacking incident.

In 2016, a journalist told Athens Orthopedic, which provides services to 138,000 patients annually, that a database of their patient records may have been posted online for sale. Later that same month a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole.

Athens Orthopedic determined that the hacker used a vendor's credentials to access their electronic medical record system and patient health data.

Athens Orthopedic filed a breach report notifying OCR that 208,557 individuals were affected by this breach, which included patients' names, dates of birth, social security numbers, medical procedures, test results and health insurance information.

OCR's investigation discovered “longstanding, systemic” noncompliance with the HIPAA Privacy and Security Rules, the release stated, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates and provide HIPAA Privacy Rule training to employees.

In addition to the monetary settlement, Athens Orthopedic has agreed to a corrective action plan that includes two years of monitoring.