21st Century Oncology to pay OCR $2.3 million for 2015 breach
Florida-based 21st Century Oncology has agreed to a $2.3 million fine to the U.S. Department of Health and Human Services stemming from a 2015 data breach that affected more than 2.2 million patient records.
The Fort Myers cancer care provider - which operates across 17 states - was alerted to a breach by the FBI in November 2015. The FBI asked that the notification be delayed until the agency could complete its investigation.
21st Century Oncology had just settled with the U.S. Department of Justice for $34.7 million over a billing fraud case when it made the breach public in March 2016.
The newest settlement, approved by the U.S. Bankruptcy Court in the Southern District of New York, said 21st Century Oncology also will comply with a corrective action plan. The provider must appoint a compliance officer, revise cybersecurity policies, perform a risk analysis and create internal breach reporting policies.
The court also approved a settlement that will resolve class action lawsuits filed in Florida right after the provider announced it had been breached. As part of the settlement, patients will be allowed to pursue and recover reimbursement from 21st Century Oncology’s cybersecurity insurance policy.
There’s $4,226,257 remaining under its policy, according to the document.
The organization also settled with the DOJ for $26 million on Tuesday to settle False Claims Act allegations. The settlement resolves self-disclosed conduct that the provider knowingly submitted or caused the submission of false attestations to the Centers for Medicare and Medicaid Services.
Further, the company admitted its employees falsified data regarding its EHR use, “fabricated software utilization reports and superimposed EHR vendor logos onto reports to make them look legitimate.” The provider also admitted it paid bonuses to physicians for patient referrals.