The Georgian company pays $ 1.5 million after the hacker gains access to thousands of patient medical records

• Georgia orthopedic practice pays $ 1.5 million to correct potential HIPAA violations after the hacker gained access to secure health information on more than 200,000 patients.

• The HHS Civil Rights Bureau announced Monday that the Athens orthopedic practice has committed a long-standing and systematic violation of HIPAA, including a lack of staff training and an inability to conclude a business partnership agreement.

• Athens Orthopedic also agreed on a corrective action plan and a two-year follow-up. The practice should provide the HHS with a risk assessment that includes an inventory of electronic devices, data systems, and applications that contain or store medical information.

Cybersecurity is a major concern for vendors that only increased after the COVID-19 pandemic ran out of resources and forced a large-scale migration of online services at a breakneck pace.

Over the past two years, 640 health data breaches have been reported to OCR, including nearly 40 this month alone. Of these, 442 were the result of a hacking incident. Companies covered by HIPAA must report violations affecting at least 500 people.

A reporter informed the company in June 2016 that a patient information database had been made available online. Two days later, the hacker asked for money to return the database he had stolen. About a month later, Athens Orthopedic filed a violation complaint with the OCR.

The hacker group called The Dark Overlord accessed health information using a vendor’s credentials and accessed it for over a month. The information includes the patient’s medical treatment plan, test results, health insurance information, name, date of birth, and social security number.

Healthcare companies have long struggled to protect patient data. A recent report from consulting firm CynergisTek showed that less than half of the organizations surveyed met national cybersecurity standards in the past year.

Medical practices performed the worst with only 20% compliance.