On September 21, 2020 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $1,500,000 settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
According to HHS, hackers accessed the Athens Orthopedic electronic medical records system in 2016 and stole the data of over 200,000 patients. This data included patient name, date of birth, social security number, medical procedures, test results, and health insurance information. The hackers access to the electronic medical records for over a month, including for several weeks after Athens Orthopedic knew of the breach.
According to the HHS press release, “OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”
In additional to the monetary settlement, Athens Orthopedics agreed to a very thorough and detailed two-year Corrective Action Plan.
You can read the HHS Resolution Agreement and the Corrective Action Plan here: https://www.hhs.gov/hipaa/for-https://www.hhs.gov/sites/default/files/athens-orthopedic-ra-cap.pdf