More than four years after a cache of its patients’ records appeared for sale online, a Georgia-based clinic has settled with the U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) for $1.5 million.

The clinic, Athens Orthopedic, specializes in spine health, sports medicine, and orthopedic trauma. It also had a long history of failing to adhere to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, OCR alleges.

The settlement (.PDF) – finalized Monday - isn't a concession that the clinic isn't in violation of the HIPAA rules but it does recognize that the clinic plans to fix the issues and follow a Corrective Action plan, set forth by HHS.

In particular, OCR says the clinic failed to prevent unauthorized access to its patients' electronic protected health information or ePHI, implement security measures to reduce risks and vulnerabilities, and conduct an assessment of those risks. For certain dates, the clinic also failed to implement mechanisms to record and examine activity in systems that contained ePHI, provide its workforce with HIPAA training, and maintain copies of its HIPAA policies and procedures.

It was a combination of these shortcomings that allowed one of the decade's most infamous hacking groups, The Dark Overlord, to steal a vendor's credentials and access the clinic's system. With that access the hacker was able to access data belonging to 208,557 individuals, including patient information like name, date of birth, social security number, the reason why they visited the clinic, any medications they were on, and any financial information associated with their account, like their health insurance information or when they paid.

It wasn't until databreaches.net - a site that aggregates data breaches, often before they're made public - notified the clinic that its patients' records were online on June 26, 2016, that Athens Orthopedic realized something was awry. Two days later, on June 28, The Dark Overlord sought a ransom for the database. In reality the hacker had access to protected health information for more than a month, until July 16, thanks to his privileged access.

10 days later the clinic filed a breach report with the OCR that 208,557 patients had their data accessed by the attacker.

Even though The Dark Overlord used the credentials of a vendor to access the data, the OCR found a handful of issues with the way the clinic approached risk and security. Going forward, in addition to the 1.5M, Athens Orthopedic will need to follow a slew of agreements as part of the Corrective Action.

The clinic needs to reevaluate its relationships with vendors, conduct an enterprise-wide analysis of its security risks and vulnerabilities, perform an inventory of all of its data systems, electronics, etc., and develop and follow a plan to mitigate risks down the line.

The clinic needs to pay special attention to policies around the following:

• Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI,
• Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
• Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately,
• Termination of user accounts when necessary and appropriate,
• Appropriate configuration of user accounts to comply with the Minimum Necessary Rule,
• Required and routine password changes,
• Password strength and safeguarding,
• Addressing and documenting security incidents,
• Conducting routine, accurate, and thorough risk analyses and implementing corresponding security measures to sufficiently reduce identified risks and vulnerabilities to a reasonable and appropriate level,
• Workforce training,
• Documentation of workforce training,
• Identification of business associates,
• Engaging in compliant business associate agreements,
• Breach notification content requirements

The fact that the clinic failed to secure its data and satisfy the HIPAA Security Rule made it a prime candidate for hacking, the OCR’s Director, Roger Severino said Monday.

"Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers," Severino said.