March 19, 2019

March 19, 2019

Subscribe to Latest Legal News and Analysis

March 18, 2019

Subscribe to Latest Legal News and Analysis

Oh No, Not Again…Chalk Up Yet Another Health Data Breach

21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.

The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services.

We highlighted concerns associated with law enforcement delays in discussing another data breach in July 2015 (see HERE). In this post, we discussed that the now infamous Anthem breach was announced within a week of the intrusion, but the delayed disclosure/action in the UCLA breach led to a class action lawsuit. With some health data breaches, it can take months to announce that individuals are at risk and to take remedial measures. This is sometimes at the request of law enforcement agencies, so as to not impede ongoing investigations, but the result of delay can be increased risk to affected individuals, and/or their increased wrath.

The company apparently was quick to address internal security systems once the intrusion was identified, but this story highlights the importance of pro-active security monitoring and security measures. The best case scenario is that these measures will protect your organization from a data breach. In the worst case scenario of an actual data breach, they can at least help insulate you from allegations of systemic non-compliance, which are likely to follow in the form of an investigation or a class action lawsuit.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Ryan Cuthbertson, Health Care Attorney, Mintz Levin, Air Force Alum, Lawyer
Staff Attorney

Before joining the firm, Ryan was with the US Air Force for nearly 10 years. Most recently, he was with the Defense Contract Management Agency, where he oversaw the contract performance and compliance of military development programs. Previously, Ryan was with the Air Force’s Electronic Systems Center and led a high-profile software development program, for which he drafted contract documents and managed cost, schedule, and performance. Prior to this, he was in the Aircraft Sustainment Group at Robins Air Force Base and was responsible for technical orders for the entire...