DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

21st Century Oncology settlement with HHS over 2015 data breach came with a $2.3 million price tag

Posted on December 15, 2017 by Dissent

There’s an update or follow-up to a breach involving 21st Century Oncology that was first reported on this site in March 2016. The breach, which they first learned of in November 2015 when federal agents contacted them, was the second breach in as many years that the entity had neither prevented nor discovered under its own means.  The 2013 incident involved a rogue employee, while the 2015 incident appeared to involve  a hack. Both compromised patient information.

The 2015 breach resulted in numerous lawsuits and couldn’t have occurred at a worse time, as the entity was in the process of finalizing a $19.75 million settlement with the government under the False Claim Acts.  There was also an announcement this week of a $26 million settlement under the False Claim Acts.

This week, FierceHealthcare broke the news that 21st Century Oncology had reached a $2.3 million settlement with OCR over the 2015 breach.  Although HHS has not issued a press release about this settlement, HHS’s findings from its investigation are incorporated in the court filing as an exhibit. Those findings include:

A. 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients. See 45 C.F.R. § 164.502(a);

B. 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of theelectronic protected health information (ePHI) held by 21CO. See 45 C.F.R. § 164.308(a)(1)(ii)(A);

C. 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A). See 45 C.F.R. § 164.308(a)(1)(ii)(B);

D. 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. §164.308(a)(1)(ii)(D);

E. 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement. See 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

Related posts:

  • HHS announces $2.3 million settlement with 21st Century Oncology for violations of HIPAA
  • 21st Century Oncology Notifies Patients of Data Security Incident
  • Preliminary settlement approved in 21st Century Oncology 2015 breach case
  • An OCR investigation illustrates the value of investigating small and medium-sized entities
Category: HackHealth DataOf NoteU.S.

Post navigation

← Proctor schools hit by ransomware attack
Researcher claims LinkedIn ignored security flaw, but did they? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.