The Department of Health and Human Services’ Office of Civil Rights has reached a settlement with a healthcare provider that was the subject of a data breach that compromised the identities of 209,000 individuals which will see the provider pay $1.5 million.
The breach occurred in 2016 after it was uncovered that a hacker used a vendor’s credentials to access the provider’s system and exfiltrate patient data. The hacker had access to the system for a month, even after contacting the provider — Athens Orthopedic Clinic — and demanding money in return for a complete copy of the database that was stolen.
The medical records and protected health information of nearly 209,000 individuals was compromised, including their names, dates of birth, Social Security numbers, medical procedures, test results, and health insurance information.
After reporting the breach, an investigation uncovered “longstanding, systemic noncompliance” with the privacy and security rules under the Health Insurance Portability and Accountability (HIPAA) Act. For example, the investigation uncovered that the provider failed to maintain copies of HIPAA’s policies and procedures and and failed to provide HIPAA training to its entire workforce.
“Hacking is the number one source of large health care data breaches,” said OCR Director Roger Severino, in a statement. “Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”
Along with paying $1.5 million, the provider has also agreed to implement a “robust” corrective action plan, according to the OCR, which includes updating its policies and procedures, conducting additional training, retaining additional records, and properly identifying business associates.