HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Athens Orthopedic Clinic Breach: No Money to Pay for Identity Theft Protection Services

On June 14, a hacker operating under the name The Dark Overlord hacked an Athens Orthopedic Clinic database containing the records of 201,000 patients. The attack was performed via a third party vendor that was used by the clinic.

Patient data were stolen and the hacker attempted to extort money from the clinic. A threat was issued saying the data would be sold if a payment was not made. When the clinic refused to pay, the data were listed for sale on darknet marketplace TheRealDeal. The data included patient names, dates of birth, addresses, telephone numbers, account numbers, Social Security numbers, and potentially diagnoses and medical histories.

While healthcare cyberattacks usually result in patients being offered a minimum of 12 months credit monitoring and identity theft protection services to mitigate risk, Athens Orthopedic Clinic has confirmed that its patients will not be offered these services.

A spokesperson for Athens Orthopedic Clinic issued a statement to the Athens Banner-Herald explaining that the clinic cannot afford to pay for extended credit monitoring services for 200,000 individuals. The cost of providing those services would be “many millions of dollars,” and there simply isn’t the money available.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Kayo Elliott, CEO of Athens Orthopedic Clinic said “We are not able spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business.” Elliot apologized to patients affected by the breach, saying “I recognize and am truly sorry for the position this puts our patients in.”

AOC trauma surgeon Chip Ogburn, MD also told the Athens Banner-Herald “I assure you that every single physician is incredibly distraught with this violation of our responsibility to you and the relationships that we have built.”

Action has been taken to reduce the risk of future breaches and the contract with the “healthcare information management contractor” has now been terminated. Patients have been instructed to contact credit reference agencies to place fraud alerts on their files and to obtain credit reports to monitor for fraud.

The breach has already cost the clinic a considerable amount of money. 201,000 breach notification letters have been mailed to affected patients, an external cybersecurity firm was brought in to investigate the breach, and steps have been taken to improve cybersecurity defenses to prevent future cyberattacks. However, those are not the only costs that will need to be covered. At least two law firms have issued news releases requesting breach victims get in touch to get their names added to class action lawsuits.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.