DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

21st Century Oncology settlement with HHS over 2015 data breach came with a $2.3 million price tag

Posted on December 15, 2017 by Dissent

There’s an update or follow-up to a breach involving 21st Century Oncology that was first reported on this site in March 2016. The breach, which they first learned of in November 2015 when federal agents contacted them, was the second breach in as many years that the entity had neither prevented nor discovered under its own means.  The 2013 incident involved a rogue employee, while the 2015 incident appeared to involve  a hack. Both compromised patient information.

The 2015 breach resulted in numerous lawsuits and couldn’t have occurred at a worse time, as the entity was in the process of finalizing a $19.75 million settlement with the government under the False Claim Acts.  There was also an announcement this week of a $26 million settlement under the False Claim Acts.

This week, FierceHealthcare broke the news that 21st Century Oncology had reached a $2.3 million settlement with OCR over the 2015 breach.  Although HHS has not issued a press release about this settlement, HHS’s findings from its investigation are incorporated in the court filing as an exhibit. Those findings include:

A. 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients. See 45 C.F.R. § 164.502(a);

B. 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of theelectronic protected health information (ePHI) held by 21CO. See 45 C.F.R. § 164.308(a)(1)(ii)(A);

C. 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A). See 45 C.F.R. § 164.308(a)(1)(ii)(B);

D. 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. §164.308(a)(1)(ii)(D);

E. 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement. See 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

Category: HackHealth DataOf NoteU.S.

Post navigation

← Proctor schools hit by ransomware attack
Researcher claims LinkedIn ignored security flaw, but did they? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.