Last week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported that 21st Century Oncology, Inc. (21CO) agreed to pay $2.3 million and adopt a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.
According to OCR's announcement, on two separate occasions in 2015, the Federal Bureau of Investigation (FBI) notified 21CO that patient information was illegally obtained by an unauthorized third party and produced 21CO patient files purchased by an FBI informant. As part of its internal investigation, 21CO determined that the attacker may have accessed 21CO's network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within 21CO's network. 21CO determined that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physicians' names, diagnoses, treatment, and insurance
Further, the OCR announcement goes on to say that their subsequent investigation revealed that 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement.
Finally, the announcement states that in addition to a $2.3 million monetary settlement, a corrective action plan requires 21CO to complete a risk analysis and risk management plan, a corrective action plan requires 21CO to complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.
If you have any questions or would like help with a breach you may have experienced large or small, please do not hesitate to contact us by email: [email protected] or by phone: 855-427-0427.