21st Century Oncology to Pay $2.3M to Settle Potential HIPAA Violations

A Fort Myers, Florida-based cancer practice, 21st Century Oncology, Inc., has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

21^st Century Oncology also agreed to adopt a comprehensive corrective action plan as part of the settlement. The organization, a provider of cancer care services and radiation oncology, operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. The organization’s resolution agreement with OCR can be found here.

According to a press release from HHS OCR, on two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21^st Century Oncology that patient information was illegally obtained by an unauthorized third party and produced patient files purchased by an FBI informant. As part of its internal investigation, 21^st Century Oncology determined that the attacker may have accessed the organization’s network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within the organization’s network.

The cancer practice found that more than 2.2 million individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. “OCR’s subsequent investigation revealed that the cancer practice failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement,” according to the OCR press release.

“People need to trust that their private health information will remain exactly that; private,” OCR director Roger Severino, said in a prepared statement. “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”

In addition to a $2.3 million monetary settlement, a corrective action plan requires 21^st Century Oncology to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.

This past May, 21^st Century Oncology filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement with OCR will resolve OCR’s claims against the practice and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place, OCR officials stated. The settlement with OCR was approved by the Bankruptcy Court in December.