In late 2015, a cyberattacker accessed 21st Century Oncology’s (21CO) network database. As a result, 21CO was investigated by the Department of Health and Human Services’ (HHS) Office for Civil Rights. 21CO settled with HHS, however, a class action lawsuit was then filed against them. Details on the settlement and the HIPAA data breach lawsuit are discussed below.

21st Century Oncology and OCR Settlement

HIPAA Data Breach Lawsuit

The FBI informed 21CO that an unauthorized third party had illegally obtained patient PHI. As proof, the FBI produced 21CO patient files that were purchased by an FBI informant. 21CO then reported the data breach to the Department of Health and Human Services’ (HHS) Office for Civil Rights. 

HHS, upon conclusion of its investigation, found that 21CO impermissibly disclosed the PHI of over 2.2 million patients; failed to conduct a risk analysis; failed to perform risk management; failed to enter into required business associate agreements; and failed to develop procedures to review information system activity. In lieu of paying civil monetary penalties to HHS, 21CO agreed to a $2.3 million dollar settlement in 2017. The settlement did not bring 21CO out of the woods, however. In 2016, a class action lawsuit was filed against 21CO in Florida federal court. The presiding judge has now given preliminary approval to a settlement proposed by 21CO to resolve the lawsuit. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Class Action Lawsuits and HIPAA

Individuals cannot file a private right of action under HIPAA. That is, HIPAA does not authorize individual lawsuits against covered entities or business associates, where the complaint is a HIPAA violation. However, in many states, individuals can file class action lawsuits for HIPAA violations. This is why class action claims were brought under the laws of the different states in which the plaintiffs reside.

21CO HIPAA Data Breach Lawsuit

In 2016, three proposed HIPAA data breach lawsuits were filed against 21CO. These complaints were consolidated into a single case. In the single class action HIPAA data breach lawsuit, the plaintiffs, 14 individuals filing on behalf of a nationwide class, alleged that 21st Century Oncology:

  • Failed to secure patients’ sensitive and confidential data entrusted to them, including full names, Social Security numbers, physicians’ names, medical diagnoses, treatment information, and insurance information.
  • Failed to secure, protect, and encrypt the PHI of the 2.2 million individuals, thereby making them vulnerable to misuse of their data.  
  • Made plaintiffs vulnerable to having fraudulent tax returns filed in their names; to stolen identities; and to medical fraud.

The plaintiffs in this data breach lawsuit alleged the following:

  • Negligence; 
  • Gross Negligence;
  • Negligent Misrepresentation;
  • Breach of Express Contracts;
  • Breach of Implied Contracts;
  • Breach of Implied Duty of Good Faith and Fair Dealing;
  • Breach of Fidu