Athens Orthopedic Clinic Pays $1.5 Million Financial Penalty for Systemic Noncompliance with HIPAA

The HHS’ Office for Civil Rights reported a settlement it has gotten to with Athens Orthopedic Clinic PA to deal with multiple Health Insurance Portability and Accountability Act (HIPAA) regulations violations.

OCR investigated a data breach that Athens, GA-based healthcare company reported on July 29, 2016. On June 26, 2026, Dissent of informed Athens Orthopedic Clinic that a database comprising the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients was shown to be on sale on the net by a group of hackers well-known as The Dark Overlord. The hackers are famous for infiltrating systems, stealing information, and issuing ransom demands. If no payment is made, the stolen data is of posted for sale.

Athens Orthopedic Clinic inspected the breach and established that the hackers accessed its systems on June 14, 2016 by means of vendor credentials and copied information from its EHR system. The information of 208,557 patients was compromised in the attack, such as names, Social Security numbers, dates of birth, procedures completed, test results, clinical data, billing details, and medical insurance details.

OCR agrees that it’s impossible to avert all cyberattacks, however, when data breaches happen because of the failure to abide by the HIPAA Rules, financial penalties are just right.

Hacking is the main cause of large healthcare data breaches. If healthcare companies do not comply with the HIPAA Security Rule, their patients’ health records become an attractive target for cybercriminals.

The OCR review of the breach showed the following systemic non-compliance with the HIPAA policies.

Athens Orthopedic Clinic hadn’t performed a complete and audit of the potential risks and flaws to the availability, confidentiality, and integrity of ePHI, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security processes were not enforced to lessen the potential risks to ePHI to an acceptable and proper level, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic neglected to use the suitable hardware, applications, and methods for logging and tracking information system activity, which infringes 45 C.F.R. §§ 164.312(b).

The company took until August 2016 for HIPAA policies and procedures to be followed, which violates
45 C.F.R. § 164.530(i) and (j), and previous to August 7, 2016, the clinic hadn’t signed business associate agreements with three vendors, which infringes 45 C.F.R. § 164.308(b)(3).

Before January 15, 2018, Athens Orthopedic Clinic hadn’t given HIPAA Privacy Rule training to its whole staff, which violates 45 C.F.R. § 164.530(b).

Because of the inability to comply, Athens Orthopedic Clinic failed to stop hackers from getting unauthorized access to the ePHI of 208,557 patients, which infringes 45 C.F.R. §164.502(a)).

Besides the financial charges, Athens Orthopedic Clinic has accepted to undertake a corrective action plan addressing all facets of non-compliance identified in the OCR investigation. The clinic settled the case with no admission of liability.

This is OCR’s sixth HIPAA settlement announced in September and the ninth HIPAA penalty in 2020. Prior to this month, OCR reported reaching five settlements with HIPAA-covered entities as per its HIPAA Right of Access initiative for not providing patients with their health data copy.