On September 21, 2020, the Office for Civil Rights (OCR) announced its largest HIPAA enforcement settlement so far this year. Athens Orthopedic Clinic, PA in Georgia (the Clinic) agreed to pay $1.5 million and to adopt a corrective action plan requiring two years of monitoring after a 2016 hacking incident that compromised over 200,000 patient records. This is a sizable settlement for the Clinic, which employs fewer than 400 people and serves about 138,000 patients each year.
On June 26, 2016, a journalist notified the Clinic that “a database of [its] patient records” was available online for sale. Two days later, a hacker emailed the Clinic demanding money in exchange for the return of the data without further disclosure. A forensic investigation revealed that the hacker gained access to a vendor’s credentials and began accessing the system on June 14, 2016. According to OCR, the provider terminated the compromised credentials on June 27, 2016, but did not effectively stop the intrusion until about three weeks later.
OCR determined that the breach affected 208,557 individuals and that patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information were involved.
OCR’s investigation revealed several areas of noncompliance. Further, its findings illustrate how a compliance investigation related to one incident can result in many different non-compliance findings. OCR found that the Clinic violated the following HIPAA Security Rule requirements:
- it failed to conduct and adequate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI);
- it failed to implement sufficient mechanisms to record and examine activities in systems that use or contain ePHI;
- it failed to enter into business associate agreements with vendors that had access to ePHI;
- it failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
OCR’s HIPAA Privacy Rule findings included the failure to prevent unauthorized access to ePHI; to maintain copies of its HIPAA policies and procedures; and to provide its entire workforce with training. Many of the findings relate to failures prior to the incident, implying that the Clinic has since come into compliance.
Key takeaways from this enforcement resolution:
- OCR investigations of a hacking or IT incident will always include an assessment of any risk analyses performed and of applicable HIPAA Security Rule policies, as well as a review of basic HIPAA Privacy Rule requirements.
- Compliance after the fact will not save a provider from costly settlements or enforcement penalties.
- Seven-figure settlements are not reserved just for large hospital systems.
In its press release, OCR’s Director Roger Severino pointed out that “hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” Expect OCR to continue to investigate hacking and IT incidents and to enforce vigorously when it finds lack of compliance, just as it did in 2019.