Natali_Mis/istock via Getty Imag

Athens Orthopedic Pays OCR $1.5M Over Systemic HIPAA Noncompliance

The notorious hacking group “thedarkoverlord” hacked the Athens Orthopedic Clinic in 2016, posting patient data online. The OCR audit that followed revealed systemic HIPAA noncompliance.

The Office for Civil Rights reached a settlement with the Athens Orthopedic Clinic for $1.5 million over a 2016 data breach caused by the notorious hacking group known as “thedarkoverlord” (TDO). The OCR audit into the security incident revealed systemic noncompliance with the HIPAA rule. 

Before the recent rise in double extortion attempts led by ransomware hacking groups like Maze and NetWalker, TDO wreaked havoc on the healthcare sector in 2016. Primarily targeting the healthcare sector, TDO would hack into targeted networks to then sell access on the dark web or extort the provider for a financial payout. 

TDO stole the data of more than 655,000 patients, including the Athens Orthopedic, before the end of the campaign. One member of TDO was indicted in 2019. 

In the case of Athens Orthopedic, a journalist first notified the provider that some of their patient records may be posted online for sale on June 26, 2016. Two days later, TDO contacted the clinic and demanded payment in order for the complete patient records to be returned. 

Athens Orthopedic’s investigation revealed TDO leveraged credentials stolen from a third-party vendor on June 14, which gave them access to its electronic medical records system and a trove of sensitive patient health information, including Social Security numbers. 

Although Athens Orthopedic terminated those compromised credentials, TDO had access to its EHR for more than a month until July 16, 2016. 

The hacker then posted the stolen data online and on the dark web, after failing to extort the provider. Patients soon filed a lawsuit against Athens Orthopedic arguing the provider was negligent, breached implied contract, and “unjust enrichment.” A judge recently revived the case after an initial dismissal. 

On July 26, 2016, Athens Orthopedic reported the breach to OCR, which then launched an audit. The OCR investigation revealed a range of longstanding, systemic noncompliance with the HIPAA Privacy and Security Rule, which included failing to conduct a risk analysis, implement risk management and audit controls, and the requirement to implement sufficient security measures to reasonably reduce risks and vulnerabilities. 

OCR also found the clinic did not maintain HIPAA policies and procedures, nor secure business associate agreements with multiple business associates until August 7, 2017. Athens Orthopedic also failed to provide HIPAA Privacy Rule training to workforce members until January 15, 2018. 

The investigation also found the clinic did not follow the HIPAA requirement to implement sufficient hardware, software, and or procedural mechanisms for recording and examining activity in information systems that contain or use ePHI from September 30, 2015 to December 15, 2016. 

"Hacking is the number one source of large health care data breaches,” OCR Director Roger Severino, said in a statement. “Healthcare providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers.” 

In addition to the civil monetary penalty, Athens Orthopedic agreed to and entered a corrective action plan (CAP) with OCR. 

Under the CAP, the clinic must review all relationships with its vendors and third-party service providers to identify HIPAA-covered business associates, which will include names, description of provided services, dates of service, descriptions of its handling with PHI, and copies of business associates agreements maintained by Athens Orthopedic. 

Athens Orthopedic is always required to conduct an accurate enterprise-wide security risk analysis of system vulnerabilities of all electronic equipment, data systems, programs, and applications controlled, administered, owned, or shared by the provider or its affiliates as it relates to stored, transmitted, or received ePHI. This must include an inventory of all devices that interact with ePHI. 

The CAP also requires the clinic to review and revise its policies and procedures to comply with HIPAA, with “particular revisions” to its technical access controls for all network and server equipment, systems, and software applications to prevent impermissible access to ePHI, and technical mechanisms to create access and activity logs and administrative procedures to routinely review logs for suspicious activity. 

Further particular revisions must also be made to the policies and procedures for the termination of user accounts when necessary and applicable, appropriate configuration of user accounts, password management, addressing and documenting security incidents, breach notification content requirements, business associate agreements, and a host of other elements. 

The Athens Orthopedic settlement is just the fourth breach-related settlement this year, as OCR laxed enforcement amid the COVID-19 pandemic: LifeSpan Health System ($1.04 million), Agape Health ($25,000), and Steven Porter, MD in Ogden, Utah ($100,000). 

In addition, OCR recently settled HIPAA Right of Access violations with five separate providers.

Dig Deeper on HIPAA compliance and regulation