The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.

OCR’s subsequent investigation revealed a longstanding pattern of noncompliance with the HIPAA Privacy and Security Rules by AOC, including the failure to conduct a risk analysis or implement any risk management and audit controls, maintain HIPAA policies and procedures, maintain business associate agreements with various business associates, or provide Privacy Rule training to members of the workforce. According to OCR Director Roger Severino, “Hacking is the number one source of large health care data breaches,” and providers’ failure to comply with the HIPAA Security Rule leaves patient data vulnerable to hackers.

The OCR news release and AOC’s resolution agreement and corrective action plan may be viewed here.