21st Century Oncology Notifies Patients of Data Security Incident

Update, March 8: A 21st Century Oncology spokesperson confirmed today to DataBreaches.net that 2.2 million patients were impacted by this breach. Note that this is the second time 21st Century Oncology learned of a data breach from federal authorities.  In 2013, this site reported on an incident involving a rogue employee. That incident never appeared on HHS’s breach tool, so I’m not sure if it involved less than 500 patients or if something else happened there with the report on it.

Also today, the government formally settled the False Claim Act charges. See the press release here.

Original story:

Only months after it settled charges under the False Claims Act by agreeing to pay the federal government $19.75 million for billing for tests that were not medically necessary, 21st Century Oncology announced it is investigating a hack of their network that they learned about from the government in November. Here is the text of their announcement today, below. It does not indicate the number of patients who may be impacted, and this is not up on HHS’s public breach tool yet. At the present time, it is not known whether there is any connection between this incident and the whistleblower lawsuit and subsequent False Claims Act investigation. 

Today, 21st Century Oncology Holdings, Inc. announced that it is investigating an unauthorized third party intrusion into its network. The company is providing notice to individuals that may have been affected by the incident and offering one year of complimentary identity protection services to those individuals.

On November 13, 2015, the Federal Bureau of Investigation (FBI) advised 21st Century that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21stCentury database. Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. Based on this investigation, 21st Century has determined that the intruder may have accessed the database on October 3, 2015, which contained the personal information of some patients, including their names, social security numbers, physicians’ names, diagnoses and treatment information, and insurance information. We have no evidence that patients’ medical records were accessed.

The FBI asked that 21st Century delay notification or public announcement of the incident until today so as not to interfere with its investigation. Now that law enforcement’s request for delay has ended, the company is notifying patients as quickly as possible. 21st Century continues to work closely with the FBI on its investigation. In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.

21st Century has no indication that patients’ information has been misused in any way; however, out of an abundance of caution, the company is offering one year of free identify theft protection services to potentially affected patients.

21st Century remains committed to maintaining the privacy and security of our patients’ personal information.

More information for potentially affected patients is available on 21st Century’s website: https://www.21co.com/SecurityIncident. 21st Century has also established a call center for individuals with questions, which can be reached at 1-866-446-1405, from 9 a.m. to 9 p.m. Eastern Time, Monday through Friday.



About the author: Dissent