Athens Orthopedic Clinic will pay $1.5 million to HHS' Office for Civil Rights for potential Health Insurance Portability and Accountability Act violations, the agency said Monday.
According to HHS, patient records for more than 200,000 people may have been posted for sale online in June after a hacker used a vendor's credentials to access the Athens Orthopedic electronic healthcare record system. The hacker told Athens Orthopedic it would exchange a complete copy of the stolen database for a ransom payment.
"OCR's investigation discovered longstanding, systemic noncompliance with the HIPAA privacy and security rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates and provide HIPAA privacy rule training to workforce members," the agency said in a statement.
The Georgia-based provider agreed to adopt a corrective action plan to address the issues that led to the security breach, including two years of monitoring.
"Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA security rule make their patients' health data a tempting target for hackers," OCR Director Roger Severino said in a statement.