In a time when EHR security is still catching up to the abilities of malevolent hackers, it only makes sense that the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) will do anything it can to get covered entities and business associates to actually take their security seriously. If that means fining a single covered entity $1.5 million, the maximum annual amount, to settle long-standing noncompliance HIPAA violations in order to send out a warning signal of what won’t be tolerated, then so be it. That is exactly what happened to Athens Orthopedic Clinic, an Athens, GA-based healthcare facility that was founded in 1966. It provides orthopedic services to roughly 130,000 patients a year.
What happened
On June 26, 2016, data hacking journalist Dissent from Databreaches.net (regular readers of this blog will remember this individual from the Blackbaud incident) notified the clinic about protected health information (PHI) that had been posted on the dark web for sale. After an initial investigation, Athens Orthopedic Clinic discovered that hackers from the notorious international hacking organization known as The Data Overlord had obtained credentials for access into the third party vendor system that contained patient data on June 14th, 2016. Over the next month, until July 16th, the hacking group continued to access the clinic’s PHI. A breach report filed by the clinic to the OCR showcased that 208,557 individuals had been affected and information like names, birthdays, social security numbers, medical procedures, test results, and healthcare insurance information had been extracted from the database.
What a further investigation uncovered
Suffice it to say, this was one of the more notorious covered entity hacking events in a long time. When the OCR investigated further, it uncovered longstanding systemic noncompliance by Athens Orthopedic Clinic of HIPAA rules and policies including:
Failure to conduct a software implementation risk analysis
Because of the lack of these controls, it was easier than ever for members of The Dark Overlord to hack into Athens Orthopedic Clinic’s database and sell access to patients’ PHI on the dark web. In addition to the $1.5 million settlement, Athens Orthopedic Clinic was ordered to come up with a corrective action plan (CAP) that entails reviewing all relationships with vendors and third-party services in order to identify all business associates. The clinic was also ordered to revise its policies to comply with HIPAA’s access control requirements for software applications to prevent impermissible access to electronic PHI (ePHI). In all, a complete security overhaul is what Athens Orthopedic Clinic is ordered to do.
How Paubox would make a difference
As you can see, failure to follow basic HIPAA requirements can spell disaster for your organization. Paubox Email Suite Standard, Plus, and Premium, as well as the Paubox Email API, are HITRUST CSF certified which means that our HIPAA compliant email products have met key regulatory and industry-defined requirements in order to appropriately manage security risk.Additionally, Paubox is happy to sign a BAA with all its healthcare customers.Had Athens Orthopedic Clinic contracted with Paubox, at least part of its current violations would have been mitigated. Because healthcare organizations have a wealth of sensitive data and information, they are a major target for cybercriminals. Unfortunately, many covered entities lack the proper security protocols necessary to protect against well-designed attacks.
The takeaway
While this situation is quite egregious and certainly an outlier, the fact remains that large sets of PHI all over the world are vulnerable to hacking. Perhaps such a large fine will cause healthcare businesses to wake up and finally take a closer inspection at how well they are securing their patient data against potential cyber threats. By following HIPAA guidelines and contracting with services that are built for compliance, covered entities can do a much better job of protecting themselves as well as their patients while avoiding nightmare scenarios from regulating bodies like the HHS and OCR.