Athens Orthopedic Clinic PA has agreed to pay $1,500,000 to the Office for Civil Rights at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
On June 26, 2016, Athens Orthopedic was notified that a database of their patient records had been posted online for sale.
On June 28, 2016, the hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole.
The hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach.
The attack disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
OCR found many other failure of company such as longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls etc.
Source: https://www.databreaches.net/?s=Athens+orthopedic
TPRM report: https://scoringcyber.rankiteo.com/company/athens-orthopedic-clinic
"id": "ath142429123",
"linkid": "athens-orthopedic-clinic",
"type": "Data Leak",
"date": "06/2016",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '208,557',
'industry': 'Healthcare',
'location': 'Athens, Georgia',
'name': 'Athens Orthopedic Clinic PA',
'type': 'Healthcare Provider'}],
'attack_vector': 'Stolen Credentials',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '208,557',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['names',
'dates of birth',
'social security numbers',
'medical procedures',
'test results',
'health insurance information']},
'date_detected': '2016-06-26',
'date_publicly_disclosed': '2016-07-29',
'description': 'Athens Orthopedic Clinic PA experienced a data breach where a '
'hacker accessed and exfiltrated patient health data using a '
'vendor’s credentials, affecting 208,557 individuals. The '
'breach included sensitive information such as names, dates of '
'birth, social security numbers, medical procedures, test '
'results, and health insurance information.',
'impact': {'data_compromised': ['names',
'dates of birth',
'social security numbers',
'medical procedures',
'test results',
'health insurance information'],
'financial_loss': '1,500,000',
'legal_liabilities': ['HIPAA Privacy and Security Rules violation'],
'systems_affected': ['electronic medical record system']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': "Vendor's credentials",
'high_value_targets': ['Patient health data']},
'lessons_learned': 'Importance of conducting risk analysis, implementing risk '
'management, and audit controls.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Implement corrective '
'action plan',
'Conduct risk analysis',
'Implement risk management '
'and audit controls'],
'root_causes': ['Weaknesses in vendor credential '
'management',
'Longstanding noncompliance with '
'HIPAA Privacy and Security '
'Rules']},
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': 'Yes'},
'recommendations': 'Enhance credential management, conduct regular risk '
'assessments, and implement robust audit controls.',
'references': [{'source': 'Office for Civil Rights at the U.S. Department of '
'Health and Human Services'}],
'regulatory_compliance': {'fines_imposed': '1,500,000',
'legal_actions': ['Corrective action plan'],
'regulations_violated': ['HIPAA Privacy and '
'Security Rules'],
'regulatory_notifications': ['OCR']},
'threat_actor': 'Hacker',
'title': 'Athens Orthopedic Clinic Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Weaknesses in vendor credential management'}