21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database. The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015. Upon further investigation by 21CO and OCR, it was determined that 21CO:

  • Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Disclosed protected health information to third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

In addition to the fine, 21CO agreed to enter into a two-year corrective action plan (CAP) with HHS-OCR whereby 21CO agrees to:

  • Appoint a compliance officer.
  • Complete a risk analysis and risk management plan.
  • Revise and adopt policies and procedures.
  • Provide HHS with an accounting and copies of its business associate agreements.
  • Conduct internal and external monitoring.
  • Create an internal reporting mechanism for workforce members to report violations of 21CO’s policies and procedures.
  • Submit to HHS an annual report for the duration of the CAP that summarizes its compliance with the aforementioned requirements.

This resolution and corrective action plan is the first OCR-HIPAA compliance enforcement action since May 2017. It underscores the importance of having a robust HIPAA compliance program that properly assesses vulnerabilities and mitigates them to a reasonable and appropriate level. The settlement was approved by the United States Bankruptcy Court for the Southern District of New York on December 11, 2017. 21CO has 136 centers located across 17 states and 36 centers in seven Latin American countries and had petitioned for bankruptcy on May 25, 2017,

The OCR settlement comes on the heels of two other major settlements for 21CO. On March 8, 2016, 21CO entered into a settlement agreement with the U.S. Department of Justice (DOJ) for $34.7 million over a billing fraud case, and most recently settled with the DOJ on December 12, 2017 for $26 million to settle False Claims Act allegations.