US cancer care provider settles for $2.3 million following health records compromise

21st Century Oncology, Inc. (21CO) has agreed to pay $2.3 million to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to avoid potential civil monetary penalties after a data breach exposed private, sensitive information. In 2015, the FBI alerted 21CO that an unauthorized third party obtained patient information illegally and produced patient files purchased by an FBI informant.

21CO says that 2,213,597 patients were affected. The breach exposed patient names, Social Security numbers, physician names, diagnoses, treatments, and insurance information. The FBI conducted an internal investigation and notified 21CO two times that patient data was illegally obtained. The FBI found that:

  • The data breach occurred as early as October 3, 2015
  • A third party infiltrated 21CO’s network SQL database
  • Criminal hackers gained access through an exchange server Remote Desktop Protocol within 21CO’s network

The HHS is an agency that enforces human rights laws pertaining to nondiscrimination, conscience, religious freedom, and health information privacy. It found that 21CO did not practice due diligence in protecting the confidentiality, integrity, and availability of patient data. 21CO did not follow standards, processes, and procedures as outlined in typical cybersecurity frameworks. In addition to releasing protected health information to third-party vendors without a written business associate agreement, 21CO failed to:

  • Conduct an accurate, thorough assessment detailing the potential risks and vulnerabilities that could affect the electronic protected health information it held
  • Implement security controls to significantly mitigate risks and vulnerabilities to an acceptable level
  • Instill procedures to regularly evaluate records of information system activity, e.g. audit logs, access reports, and security incident tracking documents

21CO must act to improve its data security

21CO coined itself as the world’s largest operator of cancer treatment centers. Yet on May 25, 2017, it filed for Chapter 11 bankruptcy. It attributed insurance reimbursement rates and uncertainty caused by political changes as causes. CEO Paul Rundell cited declining revenue per treatment, regulation compliance costs regarding electronic records, and litigation and legal settlement costs as drivers for the filing.

In December 2017, 21CO agreed to pay $26 million to settle medical fraud allegations. The organization admitted to – among other things – submitting or causing the submission of false claims to the Medicare Electronic Health Records (EHR) Incentive Program. Its employees falsified data about the company’s use of EHR software, fabricated software utilization reports, and doctored EHR vendor logos onto reports.

The settlement with OCR was approved by a bankruptcy court on December 11, 2017. In addition to the $2.3 million settlement, 21CO is required to take measures to improve its information security risk mitigation and management measures. According to the corrective action plan, the organization must:

  • Develop a risk analysis and risk management plan
  • Instill policies and procedures that meet cybersecurity requirements
  • Train and educate staff on cybersecurity policies and procedures
  • Deliver all business associate agreements to OCR
  • Submit an internal information security monitoring plan

According to the HHS website, “The settlement with OCR will resolve OCR’s claims and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place.”

US organizations will be affected by the EU GDPR

From May 25, 2018, entities around the world must meet compliance requirements set out by the EU General Data Protection Regulation (GDPR). If your organization processes the personal data of European residents, it must comply with the GDPR. IT Governance, a global leader in advising on data protection laws and information security standards, is offering a comprehensive introduction to the GDPR.

This one-day course will give you a practical understanding of the Regulation’s implications. You will also learn about the legal requirements that affect US organizations. The course is a prerequisite for the Certified EU GDPR Practitioner course. Register now for the Certified EU GDPR Foundation Training Course.