Cyber attack on cancer chain affects 2.2 million

Register now

A cyber attack last year on 21st Century Oncology Holdings has put the information of 2.2 million individuals at risk, the company announced this weekend.

The company operates 145 cancer treatment centers in the United States, and another 36 centers in Latin America. 21st Century Oncology has sent notifications to affected individuals and is offering them one year of identity theft protection services.

The organization learned of the attack from the FBI in mid-November 2015; an investigation revealed that the 21st Century Oncology database was accessed as early as October 3.

As has become common with cyber attacks on healthcare organizations, notification was significantly delayed at the request of law enforcement agencies. Many organizations that have had a cyber attack did not know about it until a law enforcement investigation into other attacks disclosed additional targets.

In a filing to the Securities and Exchange Commission, 21st Century Oncology revealed the extent of the attack, saying that information from “current and former patients that certain information may have been copied and transferred. The company has no indication that patient information has been misused in any way.”

However, 21st Century Oncology acknowledges that it was advised by the FBI that “patient information was illegally obtained by an unauthorized third party who may have gained access to a company database.”

Compromised information could have included patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. In the SEC filing, the company indicated that it may not have enough insurance to cover all attack-related liabilities.

“While the company has contingency plans and insurance coverage for certain potential liabilities relating to the intrusion, the coverage may not be sufficient to cover all claims and liabilities. The company will be responsible for deductibles and any other expenses that may be incurred in excess of insurance coverage. The company will recognize these expenses in the periods in which they are incurred.”

For reprint and licensing requests for this article, click here.