On September 22, 2020, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that Athens Orthopedic Clinic PA will pay $1.5 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The clinic fell victim to a data breach on June 28, 2016, during which a hacker gained access to its electronic medical record (EMR) system and exposed the protected health information (PHI) of over 208,500 individuals. Under the settlement agreement, Athens Orthopedic Clinic must implement a two-year corrective action plan to resolve noncompliance issues discovered during the OCR’s investigation, including failure to perform a risk analysis, implement risk management and audit controls, and maintain HIPAA policies and procedures, among others.