The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has settled a lawsuit with 21st Century Oncology, Inc. (21CO) involving their failure to protect health care records of millions of people. The settlement includes a has $2.3 million fine which has been agreed to instead of possible civil money penalties which could have amounted to much more. 21CO has also agreed to put into place a complete corrective action plan to remediate current problems and prevent future violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The case was initiated by the Federal Bureau of Investigation (FBI) who informed 21CO that they had determined that patient information had been illegally accessed by an unauthorized third party. They provided 21CO with patient files that an FBI informant had illegally bought. 21CO conducted an internal investigation, through an outside forensic auditing firm. It was determined that the attacker accessed health care records through a Remote Desktop Protocol from an Server housed within 21CO’s internal network. The company learned that more than 2.2 million people had their medical information illegally accessed. Information obtained by the attacker included patient names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.
The HHS subsequent investigation determined that 21CO engaged in the following illegal activities:
- Unauthorized disclosure of Personal Health Information (PHI)
- Failure to thoroughly evaluate possible risks to confidentiality of PHI
- Failure to impose security measure that were effective in reducing the risk to PHI and to comply with HHS requirements
- Failure to hold regular review of system information activity including audit logs, access reports, and security incident tracking reports
- Disclosed information to individuals and entities it allowed to act as business associates without written business associate agreements
21CO provides cancer care and oncological radiation services. While their headquarters is located in Fort Myers, Florida, the company has 179 treatment centers which operate in 17 states and seven countries in Latin America. Filing for Chapter 11 bankruptcy protection in May 2017, 21CO received permission from the bankruptcy court to agree to the settlement agreement.
No comments:
Post a Comment