$2.3 Million Settlement in Unprotected Health Records Case

21st Century Oncology, Inc. determined that 2,213,597 individuals were affected by impermissible access to their names, social security numbers, physicians' names, diagnoses, treatment, and insurance information.

21st Century Oncology, Inc. has agreed to pay $2.3 million in lieu of potential civil money penalties to the U.S. Department of Health and Human Services Office for Civil Rights and to adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, HHS recently announced.

Based in Fort Myers, Fla., 21CO is a provider of cancer care services and radiation oncology. With their headquarters located in Fort Myers, Florida, 21CO operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. On May 25, 2017, 21CO filed for Chapter 11 bankruptcy protection; the settlement with HHS will resolve its claims against 21CO, and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place, according to HHS.

It reported that the settlement with the Office for Civil Rights was approved by a bankruptcy judge on Dec. 11, 2017.

According to HHS, on two occasions in 2015, the FBI notified 21CO that patient information was illegally obtained by an unauthorized third party and produced 21CO patient files purchased by an FBI informant. "As part of its internal investigation, 21CO determined that the attacker may have accessed 21CO's network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within 21CO's network. 21CO determined that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physicians' names, diagnoses, treatment, and insurance information."

The OCR investigation found 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information to third-party vendors without a written business associate agreement.

"People need to trust that their private health information will remain exactly that: private," said OCR Director Roger Severino. "It's not just my hope that covered entities will learn from this example and proactively find and address their security risks, it's what the law requires."

The corrective action plan requires 21CO to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.

The resolution agreement is available here.

Download Center

HTML - No Current Item Deck
  • Free Safety Management Software Demo

    IndustrySafe Safety Management Software helps organizations to improve safety by providing a comprehensive toolset of software modules to help businesses identify trouble spots; reduce claims, lost days, OSHA fines; and more.

  • Complete Online Safety Training Courses

    Deliver state-of-the art, online safety training courses to your organization with IndustrySafe Training Management Software. Generate reports to track training compliance and automatically notify learners of upcoming or overdue classes.

  • Easy to Use Safety Inspection App

    Conduct inspections on the go with IndustrySafe’s mobile app. Complete safety audits at job sites and remote locations—with or without web access.

  • Track Key Safety Performance Indicators

    IndustrySafe’s Dashboard Module allows organizations to easily track safety KPIs and metrics. Gain increased visibility into your business’ operations and safety data.

  • Analyze Incident Data and Maintain OSHA Compliance

    Collect relevant incident data, analyze trends, and generate accurate regulatory reports, including OSHA 300, 300A, and 301 logs, through IndustrySafe’s extensive incident reporting and investigation module.

  • Industry Safe
comments powered by Disqus