Posted In: Health Care & Cybersecurity & Data Privacy
Technology & Health Care
Compliance Checkup & Corporate TIPS: OCR Agrees to $1.5 Million Settlement with Orthopedic Clinic for HIPAA Breach
By Nicole M. Thorn on September 30, 2020
Data breaches have been top of mind for a while now, and their risk to the health care sector has never been higher. On September 21, 2020, the Office of Civil Rights (OCR) settled with Athens Orthopedic Clinic PA (Athens) for $1.5 million for a cyber breach it self-reported back in 2016. A hacker gained access to Athens’ systems using third-party credentials and stole 208,557 patient records that included names, dates of birth, medical procedure details, test results and financial information, all deemed protected health information (PHI).
Unfortunately, these stories are sounding more sci-fi every day. According to the Resolution Agreement, a hacker group known as “The Dark Overlord” contacted Athens in a ransomware-like manner to notify the medical group that it had a copy of its database and demanded ransom not to disclose it. While the Athens’ forensics team determined that the hackers obtained a vendor’s credentials to access their systems, the access denial was delayed by only thirteen days, but The Dark Overlord’s effective access was not blocked until about 30 days later.
OCR’s investigation cited potential violations of 45 C.F.R. §164.502(a) of the HIPAA law, which is the requirement to prevent the unauthorized access to PHI. More importantly, and the key takeaway here is that OCR also cited other aspects of the HIPAA law which were problematic in Athens’ approach to HIPAA compliance. HIPAA requires health care providers to conduct regular security risk assessments (45 C.F.R. § 164.308(a)(1)(ii)(A)), conduct HIPAA training for employees (45 C.F.R. § 164.530(b)), implement appropriate hardware, software, and procedural mechanisms that record activity in information systems containing PHI (45 C.F.R. §§ 164.312(b)), and the use and maintenance of business associate agreements with appropriate vendors (45 C.F.R. § 164.308(b)(3)). Athens entered into a corrective action plan with OCR to remedy these allegations in addition to paying the $1.5 million penalty.
Although the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not contain a private right of action, meaning individuals cannot recover damages under this law, OCR can and will enforce penalties against health care providers who are non-compliant. Data breaches are going to occur, but providers must be diligent with their mitigating measures to show a good faith effort in their compliance approach.
With the sophistication of data hacking technology, we cannot grow weary in our compliance efforts to ensure our technology is secure. Remote-hosted software platforms and cloud-based solution provider contracts should be reviewed to determine the security measures in place and who has the liability for data breaches. Your hardware vendor should be able to conduct a formal technical assessment that meets the HIPAA security risk analysis requirements. Finally, your internal policies and training are equally important. Although business associates can be held directly liable under HIPAA, a covered entity is still the owner of the PHI. If you want some assistance with any of these compliance obligations, please contact us.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2020 Brouse McDowell. All rights reserved.