21st Century Oncology pays $2.3M to OCR for 2015 data breach, moves forward with class action settlement

Judge banging gavel on stack of money
A bankruptcy court approved several settlements for the cancer care company, including a $2.3 million fine to OCR.
(Getty/AndreyPopov)

After filing for bankruptcy in May, 21st Century Oncology has agreed to pay a $2.3 million fine to the Department of Health and Human Services for a 2015 data breach that impacted more than 2.2 million patients.

The national cancer care provider headquartered in Fort Myers, Florida, has also agreed to class action lawsuits filed in 2016, according to court documents.

21st Century Oncology, which operates 179 treatment centers across 17 states, first learned it had been attacked from the FBI in November 2015. A subsequent internal investigation revealed the attacker had accessed a database through a remote desktop protocol.

According to a settlement (PDF) approved by the United States Bankruptcy Court in the Southern District of New York, in addition to paying a fine to the Office for Civil Rights, 21st Century Oncology has agreed to comply with a corrective action plan that requires the company to appoint a compliance representative, conduct a risk analysis, revise its cybersecurity policies and develop internal breach reporting procedures.

RELATED: CareFirst petitions the Supreme Court to hear its data breach case, highlighting questions over harm

The bankruptcy court also approved a settlement (PDF) to resolve class action lawsuits filed in Florida shortly after the company announced the breach. The settlement allows data breach claimants to pursue and recover reimbursement from the company’s cybersecurity insurance policy through the Florida court. According to court documents, there is approximately $4.2 million remaining under the policy.

The company did not respond to a request for comment.

21st Century Oncology filed for Chapter 11 bankruptcy earlier this year citing changes to reimbursement and political uncertainty, as well as the cost of complying with EHR regulations. But the company was also reeling from $55 million in settlements tied to allegations that it billed government programs for medically unnecessary services.

Another settlement, also approved by the New York bankruptcy court, will add to those costs. The provider agreed to pay $26 million to settle recently unsealed allegations from a former vice president that the company paid bonuses to physicians based on patient referrals.