Hefty HIPAA Fine After Breach Involving ‘The Dark Overlord’

Regulator: Georgia Clinic Showed ‘Systemic Noncompliance’

Federal regulators have announced a $1.5 million HIPAA settlement with Athens Orthopedic Clinic in Georgia, stemming from a 2016 breach involving The Dark Overlord hacking group that exposed the records of nearly 209,000 individuals. The exposed PHI included name, date of birth, SSN, patient demographic information, clinical information, and financial/billing information. The case serves to indicate the potentially hefty cost of failure to implement a comprehensive HIPAA compliance program.

In a Monday statement, the Department of Health and Human Services’ Office for Civil Rights (OCR) said its resolution agreement with Athens Orthopedic Clinic includes an extensive correction action plan.

The $1.5 million settlement is the largest HIPAA penalty OCR has levied so far this year.

‘Systemic Noncompliance’
“Hacking is the No. 1 source of large healthcare data breaches,” Roger Severino, OCR director, says in the statement. “Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”

OCR’s investigation into the breach uncovered “longstanding, systemic noncompliance with the HIPAA privacy and security rules,” including:

  • Failure to conduct a risk analysis
  • Failure to implement risk management and audit controls,
  • Failure to maintain HIPAA policies and procedures,
  • Failure to secure business associate agreements with multiple business associates
  • Failure to provide HIPAA Privacy Rule training to workforce members

The clinic also did not take reasonable steps to respond to the breach. A computer forensic analysis determined that the hacker group had obtained a vendor’s credentials to the clinic’s system and used them to gain access on June 14, 2016. AOC terminated the compromised credentials on June 27, 2016, but the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.

Athens Orthopedic Clinic also faces a class-action lawsuit tied to the breach.

Corrective Action Plan
Under the settlement with OCR, the clinic has agreed to undertake a detailed corrective action plan that includes:

Providing OCR with an accounting of all its business associates and copies of business associate agreements
Conducting an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all systems controlled, administered, owned, or shared by the clinic or its affiliates
Developing an enterprise-wide risk management plan to mitigate any security risks and vulnerabilities identified
Reviewing and revising its written policies and procedures to comply with the HIPAA privacy, security, and breach notification rules
Distributing its OCR-approved policies and procedures to all employees
Providing training to all employees.

The most important takeaway from this case may be that the OCR can, and will, use a compliance review – like a breach-based investigation – to evaluate an entity’s compliance with many different requirements of the HIPAA rules and assess potential violations on applicable noncompliance.

Given this enforcement approach, it’s always best for an entity to implement robust compliance programs prior to any particular security incident or breach.

If you have questions about your information security compliance and the evolving threat landscape, call ITPAC today.