Here’s one we may not see on HHS’s public breach list, depending on how many patients were involved.
21st Century Oncology Services, an affiliate of Peninsula Cancer Care Center and 21st Century Oncology of Maryland, notified the Maryland Attorney General in July that they had been informed by federal law enforcement of an insider breach allegedly linked to a tax refund fraud scheme.
According to their letter, they were notified on May 15 that an employee was being criminally charged for having improperly accessed the protected health information of an unspecified number of their patients. The data were allegedly provided to a third party who used the names, Social Security numbers, and dates of birth for tax refund fraud.
21st Century Oncology Services reported that based on the federal indictment, they believe that the improper access occurred between October 11, 2011 and August 8, 2012. At the time of their July 10 letter, they had not concluded their own internal investigation into how the employee was able to access the information. I have not been able to find any statements on their web site or Peninsula Cancer Care Center’s site providing information on the breach, and 21st Century Oncology did not respond to an e-mail request from PHIprivacy.net for additional details.
Affected patients were offered a free year of credit monitoring.
Now what was I saying about the insider threat in the healthcare sector being under-included in many research analyses and surveys? This is just another example of breaches we generally do not find out about unless journalists like myself start digging through public records or requesting information under Freedom of Information.