Athens Orthopedic Clinic PA has agreed to pay $1,500,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
On June 26, 2016, Athens Orthopedic was notified that a database of their patient records had been posted online for sale.
On June 28, 2016, the hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole.
The hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach.
The attack disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
OCR found many other failure of company such as longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls etc.
Source: https://www.databreaches.net/?s=Athens+orthopedic
"id": "ATH142429123",
"linkid": "athens-orthopedic-clinic",
"type": "Data Leak",
"date": "06/2016",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"