21st Century Oncology settlement with HHS over 2015 data breach came with a $2.3 million price tag
There’s an update or follow-up to a breach involving 21st Century Oncology that was first reported on this site in March 2016. The breach, which they first learned of in November 2015 when federal agents contacted them, was the second breach in as many years that the entity had neither prevented nor discovered under its own means. The 2013 incident involved a rogue employee, while the 2015 incident appeared to involve a hack. Both compromised patient information.
The 2015 breach resulted in numerous lawsuits and couldn’t have occurred at a worse time, as the entity was in the process of finalizing a $19.75 million settlement with the government under the False Claim Acts. There was also an announcement this week of a $26 million settlement under the False Claim Acts.
This week, FierceHealthcare broke the news that 21st Century Oncology had reached a $2.3 million settlement with OCR over the 2015 breach. Although HHS has not issued a press release about this settlement, HHS’s findings from its investigation are incorporated in the court filing as an exhibit. Those findings include:
A. 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients. See 45 C.F.R. § 164.502(a);
B. 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of theelectronic protected health information (ePHI) held by 21CO. See 45 C.F.R. § 164.308(a)(1)(ii)(A);
C. 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A). See 45 C.F.R. § 164.308(a)(1)(ii)(B);
D. 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. §164.308(a)(1)(ii)(D);
E. 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement. See 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).