21st Century Oncology Notifies Patients of Data Security Incident

Update, March 8: A 21st Century Oncology spokesperson confirmed today to DataBreaches.net that 2.2 million patients were impacted by this breach. Note that this is the second time 21st Century Oncology learned of a data breach from federal authorities.  In 2013, this site reported on an incident involving a rogue employee. That incident never appeared on HHS’s breach tool, so I’m not sure if it involved less than 500 patients or if something else happened there with the report on it.

Also today, the government formally settled the False Claim Act charges. See the press release here.

Original story:

Only months after it settled charges under the False Claims Act by agreeing to pay the federal government $19.75 million for billing for tests that were not medically necessary, 21st Century Oncology announced it is investigating a hack of their network that they learned about from the government in November. Here is the text of their announcement today, below. It does not indicate the number of patients who may be impacted, and this is not up on HHS’s public breach tool yet. At the present time, it is not known whether there is any connection between this incident and the whistleblower lawsuit and subsequent False Claims Act investigation. 

Today, 21st Century Oncology Holdings, Inc. announced that it is investigating an unauthorized third party intrusion into its network. The company is providing notice to individuals that may have been affected by the incident and offering one year of complimentary identity protection services to those individuals.

On November 13, 2015, the Federal Bureau of Investigation (FBI) advised 21st Century that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21stCentury database. Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. Based on this investigation, 21st Century has determined that the intruder may have accessed the database on October 3, 2015, which contained the personal information of some patients, including their names, social security numbers, physicians’ names, diagnoses and treatment information, and insurance information. We have no evidence that patients’ medical records were accessed.

The FBI asked that 21st Century delay notification or public announcement of the incident until today so as not to interfere with its investigation. Now that law enforcement’s request for delay has ended, the company is notifying patients as quickly as possible. 21st Century continues to work closely with the FBI on its investigation. In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.

21st Century has no indication that patients’ information has been misused in any way; however, out of an abundance of caution, the company is offering one year of free identify theft protection services to potentially affected patients.

21st Century remains committed to maintaining the privacy and security of our patients’ personal information.

More information for potentially affected patients is available on 21st Century’s website: https://www.21co.com/SecurityIncident. 21st Century has also established a call center for individuals with questions, which can be reached at 1-866-446-1405, from 9 a.m. to 9 p.m. Eastern Time, Monday through Friday.



About the author: Dissent

27 comments to “21st Century Oncology Notifies Patients of Data Security Incident”

You can leave a reply or Trackback this post.
  1. Fred Classico - March 8, 2016

    I received this notice, and visited the provided URL to look into the alleged “free” identity theft protection.
    This protection is provided by Experian and hardly free. When I attempted to initiate enrollment, I was informed that PURCHASE of Experian’s Credit Monitoring Product ($4.95 for the first month, $19.95 per month thereafter) is a prerequisite to activation of the “free” ID theft protection.

    Sound like another financial services scam to me, so I decided not to bother. Buyer beware.

    • Dissent - March 8, 2016

      Say WHAT? I’ve never heard anyone have that experience signing up before. Did you call 21st Century to tell them what happened? If you haven’t, I would, to make sure they know and to see what they say/do.

    • Anonymous - March 8, 2016

      Your letter should have a code and activation instructions. I called today and they do not ask for any money, credit cards etc. Call the number and it has a menu for people affected by this situation.

      • Fred Classico - March 9, 2016

        Dissent & Anonymous: I appriciate the replies.

        Yes, I did enter the activation code provided in the letter. Entering that code is what triggered opening of a new window with the notification an active Experian Credit Monitoring subscription was required in order to obtain the “free” ID Theft Prevention service (regular price $15.95 / month). Clicking the hyperlink in that window opens a new screen requesting either a credit card # or active Credit Monitoring account # to be entered.

        Two other factors add to my suspicion the letter is fake:
        (1) Not only had I never previously heard of 21st Century Oncology, I am not aware of ever having received any medical service from them. So why would I be in their patient database?
        (2) The sign-up screen had my name pre-entered, but requested my Social Security number be entered as well. Supposedly the data breach involved the access of patient records that included SS numbers. In my opinion, Experian / 21st Century shoudl have already known my SS number from the provided activation code, if they knew my name and relevant medical history. Needless to say, I did not make any entries on this screen before closing my Browser.

        Calling the provided phone # for 21st Century only connects me to an automated answering system where none of the available options (1 throiugh 6) are relevant, and there is no option offered that can be pressed to connect to a real person.

        • Dissent - March 9, 2016

          Did you research the telephone number in the letter to see if it’s really Experian’s? Or maybe post the phone number here and the other commenter can say whether it’s the same one as in his letter?

          • Fred Classico - March 9, 2016

            Fair question.

            The number in the letter (800-437-1619) was for 21st Century Oncology, not Experian. I wanted to ask the 21st Century folks if the letter was authentic, and if so, why am I in their patient database, and why are they offering me a “free” service that actually will cost me more than $200.

            I did first enter the number into Google, which confirmed it as a 21st Century Oncology customer service line. That was the extent of my research. I just wanted some indication it wasn’t a number known to be linked to a scammer before calling..

          • Dissent - March 9, 2016

            They seem to have affiliated centers that are not named 21st Century. If you were ever treated at any cancer center (and please don’t mention here if you were), then it’s possible that’s how they have your info. But yes, you need to speak to them to find that out. Good luck.

    • Robert Wood - March 13, 2016

      Exactly the same thing happened to me. My wife and I both received letters, however, neither one of us has ever been to 21 Century.

  2. sofl - March 10, 2016

    I received a similar letter today. I see they did have a breach so on the surface it seems legit. I also do not recall ever being a patient. My letter did not have their phone number. Seems suspicious to me. I called a local office and they could not find a record and asked that I call back tomorrow to talk to a specific person. It is possible a scammer is piggybacking on a legitimate issue. There has to be a way to verify that my letter is real. I’m not putting anything on their web site until I know.

  3. Anonymous - March 11, 2016

    Got this letter. I have never been to ANY of their centers. I dont have cancer and never have even been tested for it. I have never even seen an oncologist in my entire life (only my GP and my ear doctor) in the past 5-6 years. Why would 21st Century Oncology have my data/records in the first place? Bizarre. And what the other person said is VERY telling. If they have our names/addresses and have sent a code (that is specific to each of us)–then they should automatically know the soc sec number that goes with each code they sent out to each person on their hacked list.

  4. OLDDOC - March 11, 2016

    I called one of the numbers on the letter saying my info had been breached and finally reached a person.
    After they asked for my SS number I hung up. Pretty sure this is a scam since I’ve never been a patient
    with them. The Website provided is a mishmash of ads and is up for sale and does not lead anywhere.

    In sum a total scam, but more clever than some since it piggy-backs on a real event…


    • Dissent - March 11, 2016

      Can you please scan in or upload a copy of the letter you got? What website is up for sale that the letter pointed you to?

      • OLDDOC - March 12, 2016

        Hello Dissent,

        The website listed in the letter is http://www.protectmyid.com/redeem (or /terms or /privacy).
        All lead nowhere. A banner at the upper right asks if you want to buy this domain.

        Pl instruct on how to upload the letter I received.


        • Dissent - March 12, 2016

          That url is Experian’s url (and it’s https://) and it asks for your activation code. I see their site, not what you’re describing. Maybe you typed it in wrong to your browser window? Try clicking on the link from here: http://www.protectmyid.com/redeem. That’s the same link you just gave me. Tell me if it works when you click on it from here.

          • OLDDOC - March 14, 2016

            Hello Dissent,

            You are right about my typing in the incorrect website, and I did get to Experian’s website
            when I used your link. I would still like to ‘fax’ you this letter.

          • OLDDOC - March 14, 2016

            Addendum….when I fill out Experian’s form they ask for my SS#, which they
            should have if they already have my identity. I’m very leery of giving it to them.
            Their needs to be better way of doing this, than again possible compromising my data with a rogue employee of Experian.Thanks for your help!

  5. Anonymous - March 11, 2016

    I received a letter today as well but I have never been to any oncology center (thankfully), nor have I had any cancer testing. This feels like a scam to me. I will use another agency to monitor my credit report. I don’t trust anything on the letter I received!

    While googling, I found the attached link where you can see a sample of the letter on pages 3-5. It appears to be related to New Hampshire and i’m in Florida. Again, I feel that this is a scam!

    • Dissent - March 11, 2016

      That letter that you linked to was to the NH Attorney General’s Office. They only reported the number of NH residents affected, as required by NH law. They’re likely sending one of those letters to every state with numbers for each state – or at least to the states where the law requires notification to the state as well as to consumers.

      21st Century Oncology has numerous locations in Florida, and not all are named 21st Century. In fact, some don’t look like they have cancer in their name at all. Use their locator at https://www.21co.com/find/location and plug in your city and state, and then expand the results. You may recognize the name of a center that you once sought services at.

      • Donna Jean - March 14, 2016

        Yes…I checked all of the areas in S. FL. and not one was familiar. I too, have
        had no oncology tests done. My letter from 21st Century mentioned that
        the F.B.I. had advised them that patient information was illegally obtained by
        an unauthorized 3rd party who may have gained access to a 21st Century
        database. Did anyone else have that info included in the letter?

  6. Anonymous - March 12, 2016

    I received this letter today.. I suspect this may be a scam, especially considering that I have willfully not had insurance since 2014.. the only doctors I have visited in that time have been paid cash and my ss#, etc was never given.. that fact that the letter appears to be selling a service (free for 1st year, but I’m sure after the year there is an auto reenroll for a fee).. I call BS.

  7. Marty Noee - March 13, 2016

    To all the above, I also received a letter about the Free Credit report and a code number. I tried to enter it and could not find how to do it. I am a patient of 21st Century Onocology and I have appt Wed and will take the letter I received and see what is going on and if this letter came from them. I also about 3 weeks ago got one from Radiology regional where I get my Mammograms done and it was for free credit report and I had no problem signing up for that one. I also called Radiology Regional and talked to a lady and she told me what had happened. I now have free credit reports from Eauifax and they send me e-mails about my credit . so will let you all know if the letter we all got is a scam or not. good luck all.

  8. James - March 14, 2016

    Jim O,
    Yes ,I like all of you received the letter,was it a scam? I did my due diligence. I researched on line, I decided to give it a go. It is legit. I now have a cop[y of my report from Experian. protectmyid.com is a company of there’s. I know everyone has to be so careful these days,I had ID theft and CC theft in the past,so I am really skeptical? But this is legit. But thank all of you for being careful. I feel sorry for all of those people that do not do internet research. Hope this helps…Jim

  9. Gene Myer - March 14, 2016

    After trying to contact them onthe phone waited about 10 minutes nobody answered.the computer was no help either.Could this be a scam?Never had a problem like this.Thank You

  10. Steve G. - March 15, 2016

    Total Scam. Don’t give them any information.

  11. Q - March 15, 2016

    It’s a scam. When you go to the website and type in the activation code, they ask you for all your data, including the SSN, which they supposedly already have. I was never a patient of 21st Century Oncology or any of their offices. Quick research shows that they have already settled a major lawsuit for a fraud; I’m wondering if they are now trying to recoup the cost in this way.

  12. Anonymous - March 16, 2016

    I received a letter also- and thought it was a scam since luckily I have never had cancer either. Racked my brain for awhile…I did a little digging though and figured out that my urologist is under the 21st Century Oncolgy “umbrella”, so to speak. So it looks like other doctors can be involved, not just cancer specialists.

Comments are closed.