21st Century Oncology, Inc . (21CO), a provider of cancer care services and radiation oncology, has agreed to pay a $2.3 million fine to the HHS after compromising the PHI of over 2 million patients. They must also adopt a thorough corrective action plan to settle any potential HIPAA violations in the future. The organization agreed to pay the costly penalty in lieu of facing potential civil money penalties. For large corporations, paying a $2.3 million fine is feasible. But if you're a small business, a $2.3 million fine could not only break the bank, but put you out of business as well.
Learning from 21st Century Oncology
21CO was notified twice by the FBI about patient information being illegally obtained by an unauthorized third party. The FBI proved the security issue by revealing 21CO patient files purchased by an FBI informant. During an internal investigation, 21CO determined that the unauthorized user had accessed 21CO’s network SQL database, with access beginning as early as October 3, 2015. The attacker used a remote desktop protocol from an exchange server within 21CO’s network to enter the SQL database. 21CO determined that 2,213,597 individuals were affected by this data breach, with the attacker having access to sensitive PHI such as their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. In its own investigation, the OCR noted that 21CO failed to:
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI)
- implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
- prevent disclosing protected health information (PHI) to third party vendors without a written business associate agreement
Along with paying the hefty $2.3 million settlement, 21CO must abide by a corrective action plan established by the OCR. The corrective action plan requires 21CO to:
- complete a risk analysis and risk management plan
- revise policies and procedures
- educate its workforce on policies and procedures
- provide all maintained business associate agreements to OCR
- submit an internal monitoring plan
21st Century Oncology files for bankruptcy
21CO operates and manages 179 treatment centers, including 143 centers located in 17 states and 36 centers located in seven countries in Latin America. But despite being a large corporation, the $2.3 million settlement with the OCR devastated the organization's finances. Yet, they were still able to afford a move to keep their business running. On May 25, 2017, 21CO filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. Chapter 11 bankruptcy allows 21CO to reorganize debts in order to regain profitability. Although there's an avenue for small businesses to also file for Chapter 11, often those filings get changed to Chapter 7 bankruptcy which results in liquidation of assets and the closing down of the business.
HIPAA violations can bankrupt small businesses
Considering that the PHI of over 2 million individuals was compromised by 21CO's insufficient security measures, the $2.3 million fine is fitting. But even for a small medical practice with less patients, HIPAA violation fines can be merciless. You may think, "What are the odds of receiving a HIPAA violation when the HHS have bigger fish to fry?" But often times, the HHS will receive a complaint from a patient that results in a full-scale investigation of your practice. While the initial complaint could be about something small, the HHS can find more violations during their investigation. That's exactly what happened Phoenix Cardiac Surgery, P.C.. The HHS investigated the small practice after they received a complaint from a patient about the use of online calendars. The clinic's staff had been posting clinical and surgical appointments on a publicly accessible calendar. Upon concluding their investigation into Phoenix Cardiac Surgery, the HHS found four other HIPAA violations along with the initial complaint. This resulted in a $100,000 settlement with the OCR. You can avoid drastic fines like these with Paubox's HIPAA compliant email. We encrypt all emails by default to eliminate accidentally sending PHI without encryption and prevent data breaches – both of which are common HIPAA violations. When facing costly HIPAA violation settlements, it's always better to be safe than sorry.