Having twice unknowingly had patient information stolen in 2015, 21st Century Oncology, a large organization with 143 treatment centers in 17 states, has reached agreement with the HHS Office for Civil Rights on a corrective action plan to comply with the HIPAA privacy and security rules.

21st Century Oncology also will pay a $2.3 million civil money penalty to OCR.

The FBI in 2015 on two occasions notified the organization that patient information had been taken by an unauthorized third party, including patient files purchased by an FBI informant.

Access to the organization’s network database was done through the remote desktop protocol from an exchange server within the network.

That compelled 21st Century Oncology following an investigation to conclude that protected health information for 2,213,597 individuals was put at risk, including patient names, Social Security numbers, physician names, diagnoses, treatments and insurance information, according to OCR.

Also See: The 10 largest data breaches of 2017

OCR’s own investigation found 21st Century did not conduct proper assessments to determine risks to electronic protected health information and to implement sufficient security measures, and did not review records of information systems activities including audit logs, access reports and security incident tracking reports. The company further disclosed PHI to third parties without a written business associate agreement.

OCR Director Roger Severino in a statement said that individuals need to trust that their health information will remain private. “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks; it’s what the law requires,” he added.

21st Century Oncology earlier in 2017 filed for bankruptcy protection and the settlement with HHS OCR was approved by the bankruptcy court in December. The resolution agreement and corrective action plan are available here.

In a statement to Health Data Management, 21st Century Oncology noted the company “fully cooperated with the government in resolving these historical matters and has no further comments.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access