On September 21, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $1.5 million agreement with Athens Orthopedic Clinic PA to settle “longstanding, systemic noncompliance” with the HIPAA Privacy and Security Rules. OCR’s investigation was triggered by a 2016 data breach that affected more than 200,000 of Athens Orthopedic’s patients. The practice employs 22 physicians along with more than 50 physical therapists and other ancillary personnel at 10 office locations in Georgia.

In 2016, a hacking group known as “thedarkoverlord” stole the data of more than 655,000 patients, including patients of Athens Orthopedic. After demanding ransom payments for the return of the data, which Athens Orthopedic refused to pay, the hackers posted patient records online. Some of Athens’ patients filed a lawsuit against the practice, which remains in process, claiming that Athens was negligent, among other things.

After Athens Orthopedic reported the data breach to OCR, OCR’s investigation revealed numerous HIPAA violations, “including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”

In addition to the civil monetary penalty, Athens Orthopedic’s Resolution Agreement with OCR includes an unusually extensive corrective action plan (CAP) to address all of the violations. Among the CAP requirements, Athens Orthopedic must review and revise its HIPAA policies and procedures, particularly with regard to its technical access controls for stored electronic protected health information, and conduct an enterprise-wide security risk analysis of system vulnerabilities of all electronic equipment, data systems, programs, and applications controlled, administered, owned, or shared by Athens Orthopedic and its affiliates.