Failing to protect the health information of millions of patients in violation of HIPAA has led to 21^st Century Oncology Inc. settling with the Office of Civil Rights (OCR) division of the Department of Health and Human Services (HHS) to pay civil monetary penalties. The settlement with OCR will resolve OCR’s claims against 21^st Century Oncology and allow the company to emerge from bankruptcy with stronger HIPAA compliance measures in place.

The allegations against the company began in 2015 when the FBI notified 21^st Century Oncology that patient information was obtained by an unauthorized third party. It was later determined that the information was accessed from 21^st Century Oncology’s network, and that more than 2.2 million people were affected. The hacker accessed the patients’ names, Social Security numbers, physician names, diagnoses, treatments, and insurance information. OCR determined that the company failed to conduct accurate risk assessments on the potential vulnerability of the electronic protected health information (ePHI) of its patients and failed to implement adequate review mechanisms to catch such breaches. The company also was disclosing ePHI to vendors without an appropriate business associate agreement.

21^st Century Oncology is a cancer care provider with 179 treatment centers located throughout the United States and Latin America. In May 2017, the company filed for Chapter 11 bankruptcy protection due to financial problems unrelated to the OCR investigation.

21^st Century Oncology agreed to a corrective action plan that is available on the OCR website at: http://bit.ly/2qLQkjl.

Robert B. Vogel, MD, JD
Retinal Ophthalmologist at Piedmont Eye Center, Lynchburg VA;
Attorney, Overbey Hawkins & Wright, PLLS, Lynchburg, VA;
Adjunct Professor, Humanities and Bioethics, Liberty University School of Medicine, Lynchburg, VA.