21st Century Oncology to Pay $2.3M to Settle Potential HIPAA Violations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

21st Century Oncology to Pay $2.3M to Settle Potential HIPAA Violations

January 2, 2018
by Heather Landi
| Reprints

A Fort Myers, Florida-based cancer practice, 21st Century Oncology, Inc., has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

21st Century Oncology also agreed to adopt a comprehensive corrective action plan as part of the settlement. The organization, a provider of cancer care services and radiation oncology, operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. The organization’s resolution agreement with OCR can be found here.

According to a press release from HHS OCR, on two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21st Century Oncology that patient information was illegally obtained by an unauthorized third party and produced patient files purchased by an FBI informant. As part of its internal investigation, 21st Century Oncology determined that the attacker may have accessed the organization’s network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within the organization’s network.

The cancer practice found that more than 2.2 million individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. “OCR’s subsequent investigation revealed that the cancer practice failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement,” according to the OCR press release.

“People need to trust that their private health information will remain exactly that; private,” OCR director Roger Severino, said in a prepared statement. “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”

In addition to a $2.3 million monetary settlement, a corrective action plan requires 21st Century Oncology to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.

This past May, 21st Century Oncology filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement with OCR will resolve OCR’s claims against the practice and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place, OCR officials stated. The settlement with OCR was approved by the Bankruptcy Court in December.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.