Bankrupt Cancer Clinic Chain's Insurer to Cover Breach Fine21st Century Oncology Faces More Than $29 Million in Penalties in Two Settlements
In an usual move, federal regulators have made arrangements to have a cyber insurer, Beazley Group, cover a $2.3 million HIPAA penalty on behalf of a bankrupt cancer care clinic chain, 21st Century Oncology, which separately agreed to false claims settlements totaling $26 million.
The Fort Myers, Florida-based company, which filed for Chapter 11 bankruptcy protection earlier this year, operates 179 treatment centers in the U.S. and seven countries in Latin America.
"This is the first time that I have seen OCR [Department of Health and Human Services' Office for Civil Rights] enter into a settlement with an organization that had declared bankruptcy at the time of settlement," says privacy attorney Adam Greene of law firm Davis Wright Tremaine, who was not involved in the case.
"As is increasingly the case, the covered entity was covered by cyber insurance," Greene says. "Normally, the covered entity would pay the settlement or fine and would get reimbursed by the insurer. Here, OCR is going directly to the insurer to receive the payment, which is likely in large part because the covered entity is in bankruptcy proceedings."
OCR has repeatedly stated it's not looking to put organizations out of business, Greene notes. "But, on the other hand, when things might be tough financially, OCR clearly still expects the organization to put significant resources into privacy and security.
"Here, the organization got hacked, and it was not necessarily the hack that led to a resolution agreement. Rather, OCR focused on root causes, such as an alleged lack of risk analysis and risk management."
A Beazley spokeswoman says the company does not comment on client-related matters. "In general terms, the coverage we provide under our breach response and information security and privacy liability policies includes regulatory defense and penalties," she says.
OCR and 21st Century Oncology did not immediately respond to Information Security Media Group's requests for comments.
Separately, the company was hit by a $26 million settlement from the Department of Justice for making false attestations regarding its use of electronic health records under the HITECH Act meaningful use financial incentive program as well as making other false claims.
The HIPAA settlement pertains to a 2015 data breach. Settlement documents approved on Dec. 11 by a federal bankruptcy court in New York note that on Nov. 13, 2015, and Dec. 13, 2015, the FBI notified 21st Century Oncology "that patient information was illegally obtained by an unauthorized third party."
A forensic auditing firm hired by 21st Century Oncology determined that the attacker may have accessed the clinic's network SQL database as early as October 2015 through the remote desktop protocol from an Exchange server within the company's network, settlement documents note. Data potentially compromised included patient names, Social Security numbers, diagnoses, treatment and insurance data.
OCR's investigation into the breach determined that the company failed to:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI;
- Implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
- Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports;
- Obtain written business associate agreements from third-party vendors handling PHI.
In addition to the financial payment, under the resolution agreement with OCR, 21st Century Oncology also agreed to a corrective action, which calls for taking such steps as:
- Completing a risk analysis and risk management plan;
- Revising its security risk policies and procedures;
- Adopting the revised security policies and procedures;
- Submitting an accounting and copies to OCR of all business associate agreements.
False Claims Settlement
In addition to the settlement with OCR, 21st Century Oncology also agreed to a pay $26 million to the government to resolve a false claims case stemming from the submission of false attestations regarding the company's use of electronic health records software and separate allegations that the clinic violated the False Claims Act "by submitting, or causing the submission of, claims for certain services provided pursuant to referrals from physicians with whom they had improper financial relationships," a Dec. 12 Justice Department statement says.
"21st Century Oncology reported that it knowingly submitted, or caused the submission of, false attestations to [HHS'] Centers for Medicare and Medicaid Services concerning employed physicians' use of EHR software," the DOJ says. "The company further reported that, in support of the attestations, its employees falsified data regarding the company's use of EHR software, fabricated software utilization reports, and superimposed EHR vendor logos onto the reports to make them look legitimate."
The settlement also resolves the government's allegations regarding violations of the physician self-referral law, commonly referred to as the "Stark Law," the DOJ says. "The government alleged that 21st Century Oncology ... violated the FCA by submitting, or causing the submission of, claims for services performed pursuant to referrals from physicians whose compensation did not satisfy any exception to the Stark Law," the statement says.
"21st Century Oncology admitted to causing violation of the meaningful use regulations in order to fund an electronic health records system, as well as falsifying records to cover up those actions," said Shimon Richmond, special agent in charge for the HHS Office of Inspector General, in a statement. "Separately, the government alleged that the company, through its affiliates and subsidiaries, caused certain physicians to enter into illegal financial arrangements. Providers engaging in similar behavior should expect attention from OIG."