An orthopedic services clinic in Georgia, Athens Orthopedic Clinic, recently entered into a Resolution Agreement with the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services as a settlement after numerous systemic violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were identified.

Athens Orthopedic Clinic provides services to patients across northeastern Georgia.  On June 26, 2016, a journalist notified the clinic that a database of its patient records may have been stolen and posted online for sale.  Two days later, a hacker group contacted the clinic and demanded money in return for a complete copy of the stolen database, prompting the clinic to launch an internal investigation that determined that the hacker group had used stolen vendor credentials to access the database on June 14, 2016.  Although the clinic had terminated the stolen credentials on June 27, 2016, the hacker group was able to continue accessing patient records until July 16, 2016.

Athens Orthopedic reported the breach to OCR on July 29, 2016, indicating that 208,557 individuals had been affected by the breach, and that a wide variety of protected health information (PHI) had been compromised, including patients’ demographic, clinical, and financial/billing information.

OCR’s subsequent investigation determined the clinic had “longstanding, systemic noncompliance” with HIPAA Privacy and Security Rules, including failures to implement mechanisms that monitor activity in information systems, secure business associate agreements, provide HIPAA training to the workforce, and conduct or implement assessments and security measures that identify and reduce risks.

As part of the Resolution Agreement, Athens Orthopedic has agreed to pay $1.5 million to HHS as a monetary settlement.  Furthermore, Athens Orthopedic has also agreed to implement a corrective action plan in order to address the HIPAA violations.

Furthermore, apart from initiating a government investigation, the data breach also resulted in a class action lawsuit being filed against Athens Orthopedic, styled as Christine Collins, et. al. v. Athens Orthopedic Clinic, P.A..  In early 2017, several patients who were affected by the data breach filed a putative class action against the clinic, asserting claims for negligence, breach of implied contract, unjust enrichment, attorney fees, injunctive relief under Georgia’s Uniform Deceptive Trade Practices Act, and declaratory judgment.  The trial court dismissed all claims and the Court of Appeals of Georgia affirmed the dismissal.  On December 23, 2019, the Georgia Supreme Court granted certiorari and reversed, holding that it was error to dismiss the negligence claim because there was in fact a legally cognizable injury.  On September 25, 2020, the Court of Appeals of Georgia, on remand, adopted the Supreme Court’s opinion and further reversed the dismissal of the claims for breach of implied contract and attorney fees.  Collins v. Athens Orthopedic Clinic, A18A0296, 2020 WL 5742663 (Ga. Ct. App. Sept. 25, 2020).

To view the Resolution Agreement, please click here.

To view the Collins v. Athens Orthopedic Clinic decision, please click here.