21st Century Oncology, Inc. (21CO), a Florida-based oncology services provider, has agreed to pay $2.3 million in a no-fault resolution to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential civil money penalties stemming from a 2015 cyberattack on its network SQL database. The Federal Bureau of Investigation (FBI) was first to detect that an unauthorized third party illegally obtained patient information from 21CO in October 2015. Upon further investigation by 21CO and OCR, it was determined that 21CO:
- Impermissibly disclosed the protected health information (PHI), including names, social security numbers, and diagnoses, and treatments, of 2,213,597 of its patients.
- Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI).
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- Disclosed protected health information to third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement.