21st Century Oncology has agreed to pay a $2.3 million fine to the Department of Health and Human Services for a 2015 data breach that impacted more than 2.2 million patients.

21st-Century-Oncology.jpg

According to court documents, the national cancer care provider headquartered in Fort Myers, Florida, has also agreed to class action lawsuits filed in 2016. 21st Century Oncology operates 179 treatment centers across 17 states.

The breach of the company's network SQL database and theft of the medical data and Social Security numbers of millions of patients is believed to have occurred as early as October 3, 2015. 

21st Century Oncology was notified of the breach in late 2015 after an FBI informant illegally obtained the patient data from an unauthorized third party. A subsequent internal investigation revealed that attackers gained access to a remote desktop protocol from an exchange server within the company's network. They were then able to access 2.2 million patient medical records and Social Security numbers, according to the Health and Human Services (HHS) department.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. The investigation determined that 21st Century Oncology was guilty of the following HIPPA violations:

  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Failed to have a written business associate agreement before disclosing protected health information to third-party vendors.
  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.

In addition to paying a fine to the OCR, 21st Century Oncology has agreed to comply with a comprehensive corrective action plan that requires the company to appoint a compliance representative, conduct a risk analysis, revise its cybersecurity policies and develop internal breach reporting procedures.

The court also approved a settlement to resolve class action lawsuits filed in Florida shortly after the company announced the breach. The settlement allows data breach claimants to pursue and recover reimbursement from the company’s cybersecurity insurance policy through the Florida court. According to court documents, there is approximately $4.2 million remaining under the policy.

21st Century Oncology filed for Chapter 11 bankruptcy in May 2017 citing changes to reimbursement and political uncertainty, as well as the cost of complying with EHR regulations. The company was also reeling from $26 million in settlements tied to allegations that it billed government programs for medically unnecessary services. 

21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.