[BreachExchange] Athens Orthopedic Pays OCR $1.5M Over Systemic HIPAA Noncompliance

[Destry Winant]

https://healthitsecurity.com/news/athens-orthopedic-pays-ocr-1.5m-over-systemic-hipaa-noncompliance

September 21, 2020 - The Office for Civil Rights reached a settlement
with the Athens Orthopedic Clinic for $1.5 million over a 2016 data
breach caused by the notorious hacking group known as
“thedarkoverlord” (TDO). The OCR audit into the security incident
revealed systemic noncompliance with the HIPAA rule.

Before the recent rise in double extortion attempts led by ransomware
hacking groups like Maze and NetWalker, TDO wreaked havoc on the
healthcare sector in 2016. Primarily targeting the healthcare sector,
TDO would hack into targeted networks to then sell access on the dark
web or extort the provider for a financial payout.

TDO stole the data of more than 655,000 patients, including the Athens
Orthopedic, before the end of the campaign. One member of TDO was
indicted in 2019.

In the case of Athens Orthopedic, a journalist first notified the
provider that some of their patient records may be posted online for
sale on June 26, 2016. Two days later, TDO contacted the clinic and
demanded payment in order for the complete patient records to be
returned.

Athens Orthopedic’s investigation revealed TDO leveraged credentials
stolen from a third-party vendor on June 14, which gave them access to
its electronic medical records system and a trove of sensitive patient
health information, including Social Security numbers.

Although Athens Orthopedic terminated those compromised credentials,
TDO had access to its EHR for more than a month until July 16, 2016.

The hacker then posted the stolen data online and on the dark web,
after failing to extort the provider. Patients soon filed a lawsuit
against Athens Orthopedic arguing the provider was negligent, breached
implied contract, and “unjust enrichment.” A judge recently revived
the case after an initial dismissal.

On July 26, 2016, Athens Orthopedic reported the breach to OCR, which
then launched an audit. The OCR investigation revealed a range of
longstanding, systemic noncompliance with the HIPAA Privacy and
Security Rule, which included failing to conduct a risk analysis,
implement risk management and audit controls, and the requirement to
implement sufficient security measures to reasonably reduce risks and
vulnerabilities.

OCR also found the clinic did not maintain HIPAA policies and
procedures, nor secure business associate agreements with multiple
business associates until August 7, 2017. Athens Orthopedic also
failed to provide HIPAA Privacy Rule training to workforce members
until January 15, 2018.

The investigation also found the clinic did not follow the HIPAA
requirement to implement sufficient hardware, software, and or
procedural mechanisms for recording and examining activity in
information systems that contain or use ePHI from September 30, 2015
to December 15, 2016.

“Hacking is the number one source of large health care data breaches,”
OCR Director Roger Severino, said in a statement. “Healthcare
providers that fail to follow the HIPAA Security Rule make their
patients' health data a tempting target for hackers.”

In addition to the civil monetary penalty, Athens Orthopedic agreed to
and entered a corrective action plan (CAP) with OCR.

Under the CAP, the clinic must review all relationships with its
vendors and third-party service providers to identify HIPAA-covered
business associates, which will include names, description of provided
services, dates of service, descriptions of its handling with PHI, and
copies of business associates agreements maintained by Athens
Orthopedic.

Athens Orthopedic is always required to conduct an accurate
enterprise-wide security risk analysis of system vulnerabilities of
all electronic equipment, data systems, programs, and applications
controlled, administered, owned, or shared by the provider or its
affiliates as it relates to stored, transmitted, or received ePHI.
This must include an inventory of all devices that interact with ePHI.

The CAP also requires the clinic to review and revise its policies and
procedures to comply with HIPAA, with “particular revisions” to its
technical access controls for all network and server equipment,
systems, and software applications to prevent impermissible access to
ePHI, and technical mechanisms to create access and activity logs and
administrative procedures to routinely review logs for suspicious
activity.

Further particular revisions must also be made to the policies and
procedures for the termination of user accounts when necessary and
applicable, appropriate configuration of user accounts, password
management, addressing and documenting security incidents, breach
notification content requirements, business associate agreements, and
a host of other elements.

The Athens Orthopedic settlement is just the fourth breach-related
settlement this year, as OCR laxed enforcement amid the COVID-19
pandemic: LifeSpan Health System ($1.04 million), Agape Health
($25,000), and Steven Porter, MD in Ogden, Utah ($100,000).

In addition, OCR recently settled HIPAA Right of Access violations
with five separate providers.