Fort Myers, Fla.-based 21st Century Oncology has agreed to pay HHS' Office for Civil Rights a $2.3 million settlement to resolve issues related to a 2015 data breach that affected 2.2 million patient records.
21st Century Oncology operates 179 cancer treatment centers across the U.S. and Latin America. According to court documents, the center failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to its electronic protected health information. It had also failed to implement certain security measures and properly review its security systems.
The documents also allege 21st Century Oncology disclosed PHI to third party vendors, despite obtaining a written business associate agreement outlining satisfactory assurances.
This marks another legal hurdle for the company, which also agreed to pay the federal government $26 million to resolve false claims allegations and a self-disclosure that it submitted false attestations regarding the use of EHR software. That settlement also resolves allegations that 21st Century Oncology violated the False Claims Act and Stark Law by submitting claims to government payers for services performed by physicians with whom it had improper financial relationships.
In addition to the monetary settlement, 21st Century Oncology entered into a five-year corporate integrity agreement with HHS' Office of Inspector General. The company filed for Chapter 11 bankruptcy in May.
More articles on cybersecurity:
Medical identity theft affects different states at different rates: 3 things to know