- A Georgia orthopaedic practice will pay $1.5 million to settle potential HIPAA violations after a hacker gained access to the protected health information of more than 200,000 patients.
- The HHS Office of Civil Rights said Monday the practice, Athens Orthopedic, had longstanding and systemic noncompliance with HIPAA, including a lack of training for staff and a failure to secure business associate agreement.
- Athens Orthopedic also agreed to a corrective action plan and two years of monitoring. The practice is required to submit a risk analysis to HHS that includes an inventory of electronic equipment, data systems and applications that contain or store health information.
In the past two years, 640 health data breaches have been reported to OCR, including nearly 40 just this month. Of those, 442 were the result of a hacking incident. Entities covered by HIPAA are required to report breaches affecting at least 500 people.
A journalist notified the practice in June 2016 that a database of patient information had been posted for sale online. Two days later, the hacker demanded money for returning the database it stole. Athens Orthopedic filed a breach report with OCR about a month later.
The hacker group, which called itself The Dark Overlord, gained access to the health information using a vendor's credentials and continued to have access for more than a month. The information included patients' medical procedures, test results, health insurance information, names, dates of birth and Social Security numbers.
Healthcare companies have long struggled with protecting patient data. A recent report from consulting firm CynergisTek showed that fewer than half of the organizations it studied met national cybersecurity standards last year.
Physician practices performed the worst, with only 20% compliance.