Corrective action plan will ensure 21st Century Oncology is HIPAA compliant

21st Century Oncology (21CO), a cancer care provider with 180 treatment centers across the US and Latin America, has agreed to pay $2.3 million to the US Department of Health and Human Services (HHS) to settle allegations that the group failed to implement proper data security protocols.

The seven-figure settlement follows an internal investigation into two separate breaches dating back to 2015, where it was determined that hackers gained access to the personally identifiable information of more than 2.2 million 21CO patients.

The stolen information included patients’ names, social security numbers, diagnoses, treatment, and insurance information.

A subsequent investigation conducted by HHS’ Office for Civil Rights found that 21CO was in violation of the Health Insurance Portability and Accountability Act (HIPAA), due to its failure to address the potential risks and vulnerabilities to the confidentiality and integrity of its electronic data records.

In addition to the $2.3 million monetary settlement, a corrective action plan requires the oncology group to complete a risk analysis and risk management plan, revise its policies and procedures, educate its workforce on policies and procedures, and submit an internal monitoring plan.

“People need to trust that their private health information will remain exactly that – private,” said OCR director Roger Severino.

“It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”

Florida-based 21CO filed for Chapter 11 bankruptcy protection in May last year, following several years of falling revenue and other multimillion-dollar settlement payouts.

“The settlement will resolve OCR’s claims against 21CO, and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place,” said HHS.