Back in 2016, a hacker had gained access to Athens Orthopedic
Clinic (Athens, GA) and stolen over 200,000 patient records that included
names, dates of birth, medical, test and financial information which are all
considered protected health information (PHI).
Just recently, Athens was found at fault and ordered to pay $1.5 million dollars in a settlement suit to the Office of Civil Rights (OCR). It was determined that the hacker had obtained a third-party vendors credentials, stolen the data and demanded a ransom to not disclose it. The hacker had complete access to their systems for close to a month.
Athens had been cited for violations of HIPAA law, which is the requirement to protect the unauthorized access to PHI. The biggest takeaway from this case was Athens’s approach to HIPAA compliance. HIPAA requires that health care providers do the following:
- Conduct regular security assessments
- Conduct HIPAA training for employees
- Implement the appropriate controls for hardware, software and procedures related to PHI
- Use and maintenance of business associate agreements with appropriate vendors
If your health care organization is found non-compliant with HIPAA law, the OCR can and will enforce penalties. The reality is that data breaches are going to occur, but your health care organization should be proactive and compliant with HIPAA law. Kimmell Cybersecurity can perform regular risk and security assessments to ensure your organization is HIPAA compliant before it is too late.