On September 21, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

The penalty followed an OCR investigation into a July 2016 data breach reported by Athens Orthopedic in which hackers gained access to its systems using third-party vendor credentials and exfiltrated protected health information (“PHI”). The records of 208,557 patients were stolen and posted online, including names, dates of birth, Social Security numbers, medical procedure details, test results, billing information and health insurance information.

OCR’s investigation found that Athens Orthopedic was in longstanding noncompliance with the HIPAA Privacy and Security Rules, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements and provide HIPAA Privacy Rule training to workforce members. Under the terms of OCR’s resolution agreement, Athens Orthopedic must adopt a corrective action plan that includes two years of monitoring.

“Hacking is the number one source of large health care data breaches,” said OCR Director Roger Severino. “Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”