The settlement with HHS is hardly the end of 21st Century Oncology's financial and compliance woes.
Florida-based 21st Century Oncology, which runs over 140 cancer centers in the US and is bankrupt, has agreed to pay $2.3 million to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The OCR, which is tasked with enforcing HIPAA compliance, investigated 21st Century Oncology following a 2015 data breach in which over 2.2 million patient records were compromised. The federal scrutiny and eventual fine result from the company’s alleged failure to thoroughly respond to the breach.
The FBI notified 21st Century Oncology of the breach in November 2015, and again a month later, although the final settlement notes that “the attacker may have accessed [21st Century Oncology]’s network SQL database as early as October 3, 2015.”
The December 28th settlement was made effective upon signing. In addition to the fine, it requires the company to enter into a corrective action plan (CAP) with HHS. CAP provisions will require the company to designate a HIPAA compliance representative to correspond directly with the Regional Manager of the OCR. The CAP also requires 21st Century Oncology to conduct “an accurate and thorough assessment of the potential risks and vulnerabilities” regarding its patient health data security, which HHS says the company failed to do upon discovery of the breach.
21st Century Oncology is based in Fort Myers, Florida. It manages over 140 cancer specialty clinics in more than a dozen states across the country, from Key West to Detroit and from Providence to Anaheim. It also manages 36 locations in Latin America.
The company filed for bankruptcy in May of 2017, citing healthcare industry volatility, changes in reimbursement, and compliance costs. It employs more than 4,000 people, including hundreds of physicians. It has more than $1.1 billion worth of debt, according to The News-Press, although it did report annual revenue of $1 billion in 2016.
OCR Director Roger Severino hoped that the penalty would send a message about proactivity. “People need to trust that their private health information will remain exactly that,” he said. “It’s not just my hope that covered entities will learn from this example…it’s what the law requires.”
In an official statement, HHS says that “The settlement with OCR will resolve OCR’s claims against 21CO and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place.” The recently-disclosed settlement was approved by the bankruptcy court in December.
The situation could be far from resolved for the company, though. Numerous patient lawsuits related to the data breach are still pending against 21st Century Oncology, which has also found other financial and regulatory issues in recent years. In a 2016 case, the Department of Justice found the company had routinely overbilled Medicare for unnecessary tests between 2009 and 2015. It was fined more than $34 million as a result.