Dive Brief:
- A Georgia orthopaedic practice will pay $1.5 million to settle potential HIPAA violations after a hacker gained access to the protected health information of more than 200,000 patients.
- The HHS Office of Civil Rights said Monday the practice, Athens Orthopedic, had longstanding and systemic noncompliance with HIPAA, including a lack of training for staff and a failure to secure business associate agreement.
- Athens Orthopedic also agreed to a corrective action plan and two years of monitoring. The practice is required to submit a risk analysis to HHS that includes an inventory of electronic equipment, data systems and applications that contain or store health information.
Dive Insight:
Cybersecurity is a major concern for providers — one that has only grown as the COVID-19 pandemic has sapped resources and forced a huge migration of services online at a blistering pace.
In the past two years, 640 health data breaches have been reported to OCR, including nearly 40 just this month. Of those, 442 were the result of a hacking incident. Entities covered by HIPAA are required to report breaches affecting at least 500 people.
A journalist notified the practice in June 2016 that a database of patient information had been posted for sale online. Two days later, the hacker demanded money for returning the database it stole. Athens Orthopedic filed a breach report with OCR about a month later.
The hacker group, which called itself The Dark Overlord, gained access to the health information using a vendor's credentials and continued to have access for more than a month. The information included patients' medical procedures, test results, health insurance information, names, dates of birth and Social Security numbers.
Healthcare companies have long struggled with protecting patient data. A recent report from consulting firm CynergisTek showed that fewer than half of the organizations it studied met national cybersecurity standards last year.
Physician practices performed the worst, with only 20% compliance.