Athens Orthopedic Clinic PA (“Athens”) has agreed to pay $1.5 million in a settlement with OCR for a 2016 data breach in which the PHI of 208,557 individuals was affected. In June 2016, Athens was notified that patient records may have been stolen and posted online for sale. Two days later, a hacker demanded money in exchange for the return of the stolen database. It was later determined that the hacker used a vendor’s credentials to access the database and stole patient records until July 16, 2016. Athens filed a breach report with OCR on July 29, 2016, more than a month after the ransom demand was made. OCR conducted an investigation and found that Athens suffered from systemic noncompliance with the HIPAA Privacy and Security Rules. In addition to the settlement, Athens will be implementing a corrective action plan which includes two years of monitoring.