The HHS’ Office for Civil Rights made an announcement regarding a settlement it has arrived at with Athens Orthopedic Clinic PA to take care of multiple Health Insurance Portability and Accountability Act (HIPAA) rules violations.
OCR performed an investigation into a data breach that a healthcare provider based in Athens, GA reported on July 29, 2016. On June 26, 2026, Dissent of Databreaches.net notified Athens Orthopedic Clinic that a database that contains the electronic protected health information (ePHI) of its patients had been posted for sale on the internet by a hacking group identified as The Dark Overlord. The hackers are noted for infiltrating systems, data theft, and demanding ransom payments. If the victims don’t pay the ransom, the stolen information is published online.
Athens Orthopedic Clinic looked into the breach and confirmed that the hackers acquired access to its systems on June 14, 2016 by using vendor credentials and stole records from its EHR system. The data of 208,557 patients were taken in the attack, which includes names, Social Security numbers, birth dates, procedures performed, test findings, clinical data, payment details, and medical insurance information.
OCR admits that it’s not possible to stop all cyberattacks, nevertheless when data breaches take place due to the inability to adhere to the HIPAA Rules, financial charges are issued.
Hacking is the top source of big healthcare data breaches. When medical companies are not able to adhere to the HIPAA Security Rule, their patients’ health information become an appealing target for threat actors.
The OCR breach investigation uncovered the following systemic non-adherence with the HIPAA regulations:
Athens Orthopedic Clinic didn’t conduct an appropriate and detailed review of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(B).
Security measures were not put in place to decrease the potential risks to ePHI to a good and suitable level, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(A).
Between September 30, 2015 and December 15, 2016, Athens Orthopedic Clinic was unable to employ the correct hardware, software program, and processes for documenting and examining information system activity, which violates 45 C.F.R. §§ 164.312(b).
The provider took until August 2016 for HIPAA guidelines and procedures to be kept, which infringes
45 C.F.R. § 164.530(i) and (j), and before August 7, 2016, the clinic didn’t enter into business associate agreements with three vendors, which violates 45 C.F.R. § 164.308(b)(3).
Before January 15, 2018, Athens Orthopedic Clinic did not have a HIPAA Privacy Rule training to its existing employees, which infringes 45 C.F.R. § 164.530(b).
Due to the failure to comply, Athens Orthopedic Clinic was unable to avoid hackers from obtaining unauthorized access to the PHI of 208,557 patients, which violates 45 C.F.R. §164.502(a)).
Aside from the financial fine, Athens Orthopedic Clinic has consented to adopt a corrective action plan that covers all areas of noncompliance found in the OCR audit. The clinic resolved the violation without admission of liability.
This is OCR’s 6th HIPAA settlement reported in September and the 9th HIPAA penalty in 2020. Prior to this month, OCR published having five settlements with HIPAA-covered entities in accordance with its HIPAA Right of Access initiative for being unable to provide patients with their health records copy.
