21st Century Oncology to Pay $2.3M to Settle Potential HIPAA Violations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

21st Century Oncology to Pay $2.3M to Settle Potential HIPAA Violations

January 2, 2018
by Heather Landi
| Reprints

A Fort Myers, Florida-based cancer practice, 21st Century Oncology, Inc., has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

21st Century Oncology also agreed to adopt a comprehensive corrective action plan as part of the settlement. The organization, a provider of cancer care services and radiation oncology, operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. The organization’s resolution agreement with OCR can be found here.

According to a press release from HHS OCR, on two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21st Century Oncology that patient information was illegally obtained by an unauthorized third party and produced patient files purchased by an FBI informant. As part of its internal investigation, 21st Century Oncology determined that the attacker may have accessed the organization’s network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within the organization’s network.

The cancer practice found that more than 2.2 million individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. “OCR’s subsequent investigation revealed that the cancer practice failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement,” according to the OCR press release.

“People need to trust that their private health information will remain exactly that; private,” OCR director Roger Severino, said in a prepared statement. “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”

In addition to a $2.3 million monetary settlement, a corrective action plan requires 21st Century Oncology to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.

This past May, 21st Century Oncology filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement with OCR will resolve OCR’s claims against the practice and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place, OCR officials stated. The settlement with OCR was approved by the Bankruptcy Court in December.

2018 Florida Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

July 24 - 25, 2018 | Florida



Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.

Epic Wins Labor Dispute in Closely Divided Supreme Court Decision

Epic Systems Corporation won a major labor-law ruling in the Supreme Court on Monday, centering around the extent of corporations’ right to force employees to sign arbitration agreements, and with a 5-4 ruling in its favor

Survey: Two-Thirds of Physician Practices Seeking Out Value-Based Care Consulting Firms

Most physician organizations are not prepared for the move to value-based care, and 95 percent CIOs of group practices and large clinics state they do not have the information technology or staff in-house needed to transform value-based care end-to-end, according to a recent Black Book Market Research.

Cumberland Consulting Buys LinkEHR, Provider of Epic Help Desk Services

Cumberland Consulting Group, a healthcare consulting and services firm, has acquired LinkEHR, which provides remote application support, including Epic help desk services.

Population Health Tool that Provides City-Level Data Expands to 500 Cities

A data visualization tool that helps city officials understand the health status of their population, called the City Health Dashboard, has now expanded to 500 of the largest cities in the U.S., enabling local leaders to identify and take action around the most pressing health needs in their cities and communities.