Multi-state cancer center to pay HHS $2.3M for failure to protect ePHI

21st Century Oncology, Inc., a multi-state provider of cancer services and radiation oncology, will pay the HHS Office of Civil Rights (OCR) $2.3 million in lieu of potential civil money penalties and adopt a comprehensive corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. 21st Century is headquartered in Fort Myers, Florida, and operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America.
According to the settlement, on November 13, and December 13, 2015, the Federal Bureau of Investigation (FBI) notified 21st Century that patient information was illegally obtained by an unauthorized third party and purchased by an FBI informant. As part of its internal investigation, 21st Century determined that the attacker may have accessed its network structured query language (SQL) database as early as October 3, 2015, through remote desktop protocol from an exchange server within its network. 21st Century determined that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.
A subsequent HHS OCR investigation indicated that 21st Century:

  • Impermissibly disclosed the protected health information (PHI) of 2,213,597 of its patients;
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI (ePHI);
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and
  • Disclosed PHI to third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.

Bankruptcy claims.

According to a Department of Justice (DOJ) press release, on May 25, 2017, 21st Century filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The settlement will resolve OCR’s claims against 21st Century and the CAP will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place. The settlement with OCR was approved by the Bankruptcy Court on December 11, 2017.

CAP requirements.

The CAP, attached to the settlement agreement as Appendix A, requires 21st Century to designate an individual to serve as the compliance representative (CR) who is knowledgeable about the HIPAA Rules and about policies and practices of 21st Century with respect to ePHI. The CR will be responsible for assuring 21st Century’s compliance with the settlement agreement and the CAP and for arranging for the provision of such assistance as 21st Century may require to comply with the agreement and the CAP, including, but not limited to, arranging for the completion of a risk analysis and risk management plan, the revision of policies and procedures, the adoption and distribution of policies and procedures, business associate agreements, internal monitoring, external assessments, internal reporting, and annual reports.

Previous settlements.

On December 18, 2015, the DOJ announced that 21st Century agreed to pay $19.75 million to the government to resolve allegations that it billed Medicare and Tricare for fluorescence in situ hybridization (FISH) tests that were not medically necessary. FISH tests are laboratory tests performed on urine that can detect genetic abnormalities associated with bladder cancer. The lawsuit was captioned U.S. ex rel. Barnes v. Spellberg, Civil Action No. 2:13-cv-228-FtM-38DNF (M.D. Fla.). The claims resolved by settlement in that case were allegations only, and there was no determination of liability.
In addition, in March 2016, 21st Century agreed to pay $34.7M to settle allegations that it performed and billed Medicare and Tricare for other procedures that were not medically necessary. Specifically, the use of a medical procedure-called the Gamma function-to measure the exit dose of radiation from a patient after receiving radiation treatment. In that case, the government alleged that 21st Century knowingly and improperly billed for this procedure under circumstances where the procedure served no medically appropriate purpose.
Patients of 21st Century have also filed multiple class action lawsuits against the provider alleging that it failed to establish adequate cybersecurity measures in violation of federal and state law. These actions are still pending.


Visit our News Library to read more news stories.