21st Century Oncology, who bills itself as the world’s largest operator of cancer treatment centers with 179 locations, suffered a breach in 2015, losing control of 2+ million patient records.
According to law firm Motley Rice, they found out about the breach when the FBI notified them – not a great way to start your day – (see here). The breach, they say, happened a month prior, in October 2015.A
While 21st Century is a bit of a high flyer – started in 1983, they sold out to Vestar Parters for $1 billion in 2008, planned to go public in 2014 but changed their mind and raised $325 million privately instead – they have all the problems of any business.
They filed for bankruptcy earlier this year, citing a bunch of reasons including uncertainty in the health insurance market as a result of the new administration, but also the cost of litigation and the cost of complying with regulations regarding electronic health records – in other words the cost resulting from the breach including setting lawsuits from patients who’s data was compromised and settling claims from Health and Human Services regarding the breach.
Health and Human Services said that 21st Century failed to:
- Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- Failed to have a written business associate agreement before disclosing protected health information to third-party vendors.
In other words, failing to have any kind of reasonable cyber security program.
Last month 21st Century has agreed to pay a fine of $2.3 million in lieu of what HHS could have whacked them with, which is many times that number and:
- Complete a risk assessment and create a risk management plan
- Revise policies and procedures
- Educate its workforce
- Create and maintain Business Associate Agreements (BAAs) with people it shares patient data with
- Submit to an internal monitoring plan – HHS’s version of an ankle monitor.
Also, if they fail to execute the corrective action plan all bets are off and HHS can go after them for real civil money penalties.
HHS will supervise this corrective action plan and if they don’t like something that 21st Century has done, like their security policies, for example, 21st Century has 30 days to fix it.
They are also required to engage and pay for an external third party to monitor their progress. HHS gets to interview and approve this third party. The assessor will submit a plan to play nanny to 21st Century within 60 days of selection and HHS must approve this plan. The assessor, according to the terms of the corrective action plan must make unannounced site inspections during the term of the agreement. The third party must provide an annual compliance report to HHS.
A copy of the agreement can be found here.
While there are other business reasons for filing for bankruptcy, the after effects, including settlements and lawsuits related to the breach are likely an important part of that filing.
While it is not clear to me what the effect of the bankruptcy filing is on lawsuits that not yet come to trial, there is certainly a short term effect of staying them while the bankruptcy court figures things out. I am also not clear what effect the bankruptcy filing will have on lawsuits that were not filed prior to the bankruptcy filing date. This could be a way to dramatically reduce their liability, although it certainly would not make them any friends with investors who were affected by the bankruptcy. 21st Century has been involved in a number of lawsuits related to over and fraudulent billing and fees paid to doctors for referring patients to company owned facilities. Clearly security is only one of many problems they are dealing with.
Apparently the bankruptcy did not stop HHS’ actions including fines and the corrective action plan.
Information for this post came from Dark Reading.