Tag Archives: 21st Century Oncology

The Price of a Breach? Bankruptcy?

21st Century Oncology,  who bills itself as the world’s largest operator of cancer treatment centers with 179 locations, suffered a breach in 2015, losing control of 2+ million patient records.

According to law firm Motley Rice, they found out about the breach when the FBI notified them – not a great way to start your day – (see here).  The breach, they say, happened a month prior, in October 2015.A

While 21st Century is a bit of a high flyer – started in 1983, they sold out to Vestar Parters for $1 billion in 2008, planned to go public in 2014 but changed their mind and raised $325 million privately instead – they have all the problems of any business.

They filed for bankruptcy earlier this year, citing a bunch of reasons including uncertainty in the health insurance market as a result of the new administration, but also the cost of litigation and the cost of complying with regulations regarding electronic health records – in other words the cost resulting from the breach including setting lawsuits from patients who’s data was compromised and settling claims from Health and Human Services regarding the breach.

Health and Human Services said that 21st Century failed to:

  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Failed to have a written business associate agreement before disclosing protected health information to third-party vendors.

In other words, failing to have any kind of reasonable cyber security program.

Last month 21st Century has agreed to pay a fine of $2.3 million in lieu of what HHS could have whacked them with, which is many times that number and:

  • Complete a risk assessment and create a risk management plan
  • Revise policies and procedures
  • Educate its workforce
  • Create and maintain Business Associate Agreements (BAAs) with people it shares patient data with
  • Submit to an internal monitoring plan – HHS’s version of an ankle monitor.

Also, if they fail to execute the corrective action plan all bets are off and HHS can go after them for real civil money penalties.

HHS will supervise this corrective action plan and if they don’t like something that 21st Century has done, like their security policies, for example, 21st Century has 30 days to fix it.

They are also required to engage and pay for an external third party to monitor their progress.  HHS gets to interview and approve this third party.  The assessor will submit a plan to play nanny to 21st Century within 60 days of selection and HHS must approve this plan.  The assessor, according to the terms of the corrective action plan must make unannounced site inspections during the term of the agreement.   The third party must provide an annual compliance report to HHS.

A copy of the agreement can be found here.

While there are other business reasons for filing for bankruptcy, the after effects, including settlements and lawsuits related to the breach are likely an important part of that filing.

While it is not clear to me what the effect of the bankruptcy filing is on lawsuits that not yet come to trial, there is certainly a short term effect of staying them while the bankruptcy court figures things out.  I am also not clear what effect the bankruptcy filing will have on lawsuits that were not filed prior to the bankruptcy filing date.  This could be a way to dramatically reduce their liability, although it certainly would not make them any friends with investors who were affected by the bankruptcy.  21st Century has been involved in a number of lawsuits related to over and fraudulent billing and fees paid to doctors for referring patients to company owned facilities.  Clearly security is only one of many problems they are dealing with.

Apparently the bankruptcy did not stop HHS’ actions including fines and the corrective action plan.

Information for this post came from Dark Reading.






Insurers Say Cancer Center “On Its Own”

I wrote about 21st Century Oncology in March (see post here) when the FBI came knocking on their door.  The result?  2.2 million records compromised.  At that time they said that they likely did not have enough insurance to cover the costs of the breach.

Fast forward six months.

Law360 is reporting that Charter Oak Fire Insurance and Travelers Property Casualty Co. have asked a Florida court to rule that they have no duty to defend.

There are currently 17 class action suits pending.  If these insurance companies are found to have a duty to defend 21st Century Oncology, they will spend millions doing that.  Maybe tens of millions.

This incident was a cyber breach.  These insurance policies do not appear to be cyber policies.  Given that 21st Century has already said that they are concerned that they do not have enough insurance that they are likely at grasping at straws.

Part of the reason that these lawsuits have been filed is that the plaintiffs say that 21st Century should have notified them sooner.

The breach happened, they say, around Oct. 3, 2015.

The FBI  told them about the breach on Nov. 13th.

21st Century notified patients of the breach on Mar. 4, 2016, at the request, they say, of the FBI to delay notification.  I am not familiar with Florida law, but most states have an exemption from prompt notification when law enforcement requests it.  Assuming this is the case in Florida and assuming the FBI did ask for the delay, I don’t think this part of the case has much of a chance of succeeding.  However, I am not a lawyer and I certainly don’t pretend to be able to predict what juries will do.

I assume that the 17 pending class actions have a lot more claims in them that they will have to defend against.

The company’s 10-Q for the first quarter of 2016 said that they are “highly leveraged”, with over $1 billion of long term debt and are experiencing losses from operations.  Given the financial challenges that they will have to deal with over the next several years, this is not a great situation.  They have not revealed how much coverage they have.  I don’t think I would buy their stock right now.

For other companies, this is a great opportunity to look at the risks that they face and the coverages that they have and determine if they are aligned with each other.

Many companies have a $1 million or $3 million cyber liability policy.  For small companies, this is probably fine.  For a company with 800 physicians and 140 facilities, how much coverage is appropriate – In a highly regulated, highly targeted industry?  How much coverage could they buy at any price?

And, you can count on the fact that come renewal time, either they won’t be able to renew, the retained liability (deductibles) will be through the roof or the premium will be out of sight.  We already saw this with Anthem after their breach.

I suspect that their troubles are only beginning.

My recommendation is (a) plan now, (b) have enough coverage and (c) make cyber risk mitigation a priority.

Information for this post came from Law360 (registration required).

Cancer Treatment Center Notified of Breach by FBI

21st Century Oncology, a Florida based cancer treatment center chain got that knock on the door that every CEO fears.

The FBI came to them to tell them that hackers accessed a database of 2.2 million clients.  The data includes names, Socials, physicians’ names, diagnosis, treatment information and insurance information.

As I say all the time, one of the challenges of a cyber theft is that there is much less evidence than in the brick and mortar world.  In the physical world, if someone breaks into a store, for example, there might be a smashed front window and for sure, the merchandise that was taken is missing when the store owner opens the store in the morning.

In the cyber world there are clues, too, but they are much more subtle.  After all, the data you had before the breach is still in your computer after the breach.  There may be log file entries that can provide clues but often the data that would be needed to detect the attack is not even being collected and if it is collected it is not being examined.  Typically, access occurs using stolen or phished credentials, so the access appears to be from a legitimate user.

The FBI visited 21st Century last November but asked them to keep quiet until this week as they investigated the incident.  This could mean that they are looking into other breaches as well.

As more medical data is stored online, these breaches continue to rise and until the healthcare industry improves security, the hackers will continue to win.

Even at this early stage, the company is saying, in their 8-K filing with the SEC, that they likely do not have enough insurance to cover the costs.  This is pretty typical.  An incident like this could possibly cost them between $250 and $500 million when all is said and done.  Even if they have $100 million in insurance – and they have not said how much insurance and of what type they have – that still leaves them writing a large check.

The fact that the way that they found out about the incident was by law enforcement telling them is actually more typical than you might think.

According to Kurt Long, CEO of Fairwarning, in nearly 70 percent of breaches involving protected health information the company finds out when law enforcement comes knocking on their front door.

From a brand reputation perspective, that is NOT how you want to find out.


Data for this post came from Data Breach Today.