Florida Oncology Company to Pay $2.3 Million After Data Breach

Florida-based 21^st Century Oncology, which runs over 140 cancer centers in the US and is bankrupt, has agreed to pay $2.3 million to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The OCR, which is tasked with enforcing HIPAA compliance, investigated 21^st Century Oncology following a 2015 data breach in which over 2.2 million patient records were compromised. The federal scrutiny and eventual fine result from the company’s alleged failure to thoroughly respond to the breach.

The FBI notified 21^st Century Oncology of the breach in November 2015, and again a month later, although the final settlement notes that “the attacker may have accessed [21^st Century Oncology]’s network SQL database as early as October 3, 2015.”

The December 28^th settlement was made effective upon signing. In addition to the fine, it requires the company to enter into a corrective action plan (CAP) with HHS. CAP provisions will require the company to designate a HIPAA compliance representative to correspond directly with the Regional Manager of the OCR. The CAP also requires 21^st Century Oncology to conduct “an accurate and thorough assessment of the potential risks and vulnerabilities” regarding its patient health data security, which HHS says the company failed to do upon discovery of the breach.

21^st Century Oncology is based in Fort Myers, Florida. It manages over 140 cancer specialty clinics in more than a dozen states across the country, from Key West to Detroit and from Providence to Anaheim. It also manages 36 locations in Latin America.

The company filed for bankruptcy in May of 2017, citing healthcare industry volatility, changes in reimbursement, and compliance costs. It employs more than 4,000 people, including hundreds of physicians. It has more than $1.1 billion worth of debt, according to The News-Press, although it did report annual revenue of $1 billion in 2016.

OCR Director Roger Severino hoped that the penalty would send a message about proactivity. “People need to trust that their private health information will remain exactly that,” he said. “It’s not just my hope that covered entities will learn from this example…it’s what the law requires.”

In an official statement, HHS says that “The settlement with OCR will resolve OCR’s claims against 21CO and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place.” The recently-disclosed settlement was approved by the bankruptcy court in December.

The situation could be far from resolved for the company, though. Numerous patient lawsuits related to the data breach are still pending against 21^st Century Oncology, which has also found other financial and regulatory issues in recent years. In a 2016 case, the Department of Justice found the company had routinely overbilled Medicare for unnecessary tests between 2009 and 2015. It was fined more than $34 million as a result.