Hefty HIPAA Fine After Breach Involving 'The Dark Overlord'Regulator: Georgia Clinic Showed 'Systemic Noncompliance'
This story has been updated with Athens Orthopedic Clinic's statement.
Federal regulators have announced a $1.5 million HIPAA settlement with a Georgia orthopedic clinic stemming from a 2016 breach involving The Dark Overlord hacking group. The case serves as a warning of the potentially hefty cost of failure to implement a comprehensive HIPAA compliance program.
The $1.5 million settlement is the largest HIPAA penalty OCR has levied so far this year.
On Monday, Nathan Wyatt, a U.K. resident who was a member of The Dark Overlord hacking group, pleaded guilty to federal charges and was sentenced to five years in prison, according to the U.S. Justice Department (see: 'Dark Overlord' Hacker Sentenced to 5-Year Prison Term). In 2016, The Dark Overlord hacking group attacked organizations in the St. Louis area, targeting healthcare providers, accounting firms and other companies, stealing data and threatening to release it, according to the Justice Department.
"Hacking is the No. 1 source of large healthcare data breaches," Roger Severino, OCR director, says in the statement. "Healthcare providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers."
OCR's investigation into the breach uncovered "longstanding, systemic noncompliance with the HIPAA privacy and security rules," including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates and provide HIPAA Privacy Rule training to workforce members, the agency says.
Athens Orthopedic has about 400 employees and serves approximately 138,000 patients annually in northeastern Georgia, OCR notes in its settlement with the clinic.
"A $1.5 million settlement for a medical group, rather than a large healthcare system, is a pretty high amount when compared to past resolution agreements for similar entities," notes privacy attorney Adam Greene, of the law firm Davis Wright Tremaine. "OCR seems to be sending a message that it expects all healthcare providers to put in the hard work of having a comprehensive HIPAA Security Rule compliance program and that the consequences for a failure to do so will be high."
The size of the penalty paid by Athens Orthopedic Clinic, along with the breadth of the corrective action plan, reflects OCR's finding of "a systemic failure" to implement a reasonable risk-based information security program," says privacy attorney David Holtzman, of the consultancy HITprivacy LLC.
The clinic's "lack of fundamental policies and procedures to have safeguards in place to protect their protected health information, combined with a failure to perform information security risk assessments or mitigate gaps that would have been discovered through the analysis, left the information system open to attack," he says. "These failures prevented the covered entity from discovering that access to the information system had been compromised."
The clinic also did not take reasonable steps to respond to the information security incident, he adds.
OCR's resolution agreement with Athens Orthopedic Clinic notes that, on June 26, 2016, a journalist notified the clinic that a database of patient records suspected of belonging to the practice was posted for sale online.
"On June 28, 2016, a hacker group known as 'The Dark Overlord' contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure," the resolution agreement notes.
A computer forensic analysis determined that the hacker group had obtained a vendor's credentials to the clinic's system and used them to gain access on June 14, 2016, the agreement says.
"While AOC terminated the compromised credentials on June 27, 2016, the Dark Overlord's continued intrusion was not effectively blocked until July 16, 2016."
Analysis determined that almost 209,000 individuals had data exposed in the breach, the resolution agreement says.
"Due to the breadth of system applications affected, a variety of protected health information was exposed, including patient demographic information - name, date of birth, Social Security number, etc., - clinical information ... and financial/billing information."
Athens Orthopedic Clinic also faces a class-action lawsuit tied to the breach (see: Class Action Breach Lawsuits: The Impact of Data for Sale).
Corrective Action Plan
Under the settlement with OCR, the clinic has agreed to undertake a detailed corrective action plan that includes:
- Providing OCR with an accounting of all its business associates and copies of business associate agreements;
- Conducting an accurate, thorough, enterprisewide analysis of security risks and vulnerabilities that incorporates all systems controlled, administered, owned or shared by the clinic or its affiliates;
- Developing an enterprisewide risk management plan to mitigate any security risks and vulnerabilities identified;
- Reviewing and revising its written policies and procedures to comply with the HIPAA privacy, security and breach notification rules;
- Distributing its OCR-approved policies and procedures to all employees;
- Providing training to all employees.
"The most important takeaway from this case is that, even with a security incident or breach arguably caused by a vendor - given the stolen credentials here belonged to a vendor - any investigation allows OCR the opportunity to take a look at all of an entity's 'dirty laundry,'" says privacy attorney Iliana Peters, of the law firm Polsinelli.
"In other words, OCR can, and will, use a compliance review - like a breach-based investigation - to evaluate an entity's compliance with many different requirements of the HIPAA rules and, as here, will assess potential violations on applicable noncompliance. Given this enforcement approach, it's always best for an entity to implement robust compliance programs prior to any particular security incident or breach. No entity is perfect, so there will always be another breach. But entities can cut short any investigations by OCR with regard to other potential violations with good, enterprisewide compliance efforts."
Athens Orthopedic Clinic Statement
Athens Orthopedic Clinic CEO Kayo Elliott in a statement to Information Security Media Group says the clinic "is pleased" to have resolved issues relating to the 2016 security event.
It is our practice always, and especially during this era of frequent sophisticated cyber-attacks, to remain committed to safeguarding our patients' personal and health information from security threats, while continuing to provide top-quality medical care to our patients throughout Northeast Georgia and the Southeast."
Business Associate Risks
Holtzman says the Athens Orthopedic incident offers important lessons involving business associates.
"Healthcare organizations must do more to examine their business partners to ensure they have made the investment in technical security controls to actively monitor and alert system administrators to suspicious activity combined with employee awareness and training," he says.
"Look carefully at the information security and privacy safeguards that a prospective vendor has in place when outsourcing a service that will create or maintain healthcare data. Review the risk assessment and risk management plans for each vendor so that you can know going into your vendor selection process which vendors have the information security strategy that best fits your needs and expectations."
Last week, OCR issued five smaller HIPAA settlements with healthcare organizations stemming from complaints about a lack of patient access to their healthcare information (see: Fines Tied to Failure to Provide Patients With Records).
In addition to those enforcement actions, OCR this year issued settlements in three other breach investigation cases.