21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.
The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services.
We highlighted concerns associated with law enforcement delays in discussing another data breach in July 2015 (see HERE). In this post, we discussed that the now infamous Anthem breach was announced within a week of the intrusion, but the delayed disclosure/action in the UCLA breach led to a class action lawsuit. With some health data breaches, it can take months to announce that individuals are at risk and to take remedial measures. This is sometimes at the request of law enforcement agencies, so as to not impede ongoing investigations, but the result of delay can be increased risk to affected individuals, and/or their increased wrath.
The company apparently was quick to address internal security systems once the intrusion was identified, but this story highlights the importance of pro-active security monitoring and security measures. The best case scenario is that these measures will protect your organization from a data breach. In the worst case scenario of an actual data breach, they can at least help insulate you from allegations of systemic non-compliance, which are likely to follow in the form of an investigation or a class action lawsuit.