Orthopedic clinic pays $1.5 million to settle systemic noncompliance with HIPAA rules

Featured image

Share this article

Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance With HIPAA Rules - Paubox

In a time when EHR security is still catching up to the abilities of malevolent hackers, it only makes sense that the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) will do anything it can to get covered entities and business associates to actually take their security seriously. 

If that means fining a single covered entity $1.5 million, the maximum annual amount, to settle long-standing noncompliance HIPAA violations in order to send out a warning signal of what won’t be tolerated, then so be it. 

That is exactly what happened to Athens Orthopedic Clinic, an Athens, GA-based healthcare facility that was founded in 1966. It provides orthopedic services to roughly 130,000 patients a year. 

What happened

On June 26, 2016, data hacking journalist Dissent from Databreaches.net (regular readers of this blog will remember this individual from the Blackbaud incident) notified the clinic about protected health information (PHI) that had been posted on the dark web for sale. 

After an initial investigation, Athens Orthopedic Clinic discovered that hackers from the notorious international hacking organization known as The Data Overlord had obtained credentials for access into the third party vendor system that contained patient data on June 14th, 2016. 

Over the next month, until July 16th, the hacking group continued to access the clinic’s PHI. A breach report filed by the clinic to the OCR showcased that 208,557 individuals had been affected and information like names, birthdays, social security numbers, medical procedures, test results, and healthcare insurance information had been extracted from the database. 

What a further investigation uncovered

Suffice it to say, this was one of the more notorious covered entity hacking events in a long time. When the OCR investigated further, it uncovered longstanding systemic noncompliance by Athens Orthopedic Clinic of HIPAA rules and policies including:

  • Failure to conduct a software implementation risk analysis
  • No implementation of risk management
  • No implementation of audit controls
  • Failure to maintain HIPAA policies and procedures
  • Failure to secure business associate agreements (BAA’s) with multiple business associates 
  • No HIPAA Privacy Rule training for workforce members

Because of the lack of these controls, it was easier than ever for members of The Dark Overlord to hack into Athens Orthopedic Clinic’s database and sell access to patients’ PHI on the dark web. 

In addition to the $1.5 million settlement, Athens Orthopedic Clinic was ordered to come up with a corrective action plan (CAP) that entails reviewing all relationships with vendors and third-party services in order to identify all business associates. 

The clinic was also ordered to revise its policies to comply with HIPAA’s access control requirements for software applications to prevent impermissible access to electronic PHI (ePHI)

In all, a complete security overhaul is what Athens Orthopedic Clinic is ordered to do. 

How Paubox would make a difference

As you can see, failure to follow basic HIPAA requirements can spell disaster for your organization. 

Paubox Email Suite Standard, Plus, and Premium, as well as the Paubox Email API, are HITRUST CSF certified which means that our HIPAA compliant email products have met key regulatory and industry-defined requirements in order to appropriately manage security risk.

Additionally, Paubox is happy to sign a BAA with all its healthcare customers.

Had Athens Orthopedic Clinic contracted with Paubox, at least part of its current violations would have been mitigated. 

Because healthcare organizations have a wealth of sensitive data and information, they are a major target for cybercriminals. Unfortunately, many covered entities lack the proper security protocols necessary to protect against well-designed attacks. 

The takeaway

While this situation is quite egregious and certainly an outlier, the fact remains that large sets of PHI all over the world are vulnerable to hacking. 

Perhaps such a large fine will cause healthcare businesses to wake up and finally take a closer inspection at how well they are securing their patient data against potential cyber threats. 

By following HIPAA guidelines and contracting with services that are built for compliance, covered entities can do a much better job of protecting themselves as well as their patients while avoiding nightmare scenarios from regulating bodies like the HHS and OCR. 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rikin Shah

Read more by Rikin Shah

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022