In late 2015, a cyberattacker accessed 21st Century Oncology’s (21CO) network database. As a result, 21CO was investigated by the Department of Health and Human Services’ (HHS) Office for Civil Rights. 21CO settled with HHS, however, a class action lawsuit was then filed against them. Details on the settlement and the HIPAA data breach lawsuit are discussed below.
21st Century Oncology and OCR Settlement
The FBI informed 21CO that an unauthorized third party had illegally obtained patient PHI. As proof, the FBI produced 21CO patient files that were purchased by an FBI informant. 21CO then reported the data breach to the Department of Health and Human Services’ (HHS) Office for Civil Rights.
HHS, upon conclusion of its investigation, found that 21CO impermissibly disclosed the PHI of over 2.2 million patients; failed to conduct a risk analysis; failed to perform risk management; failed to enter into required business associate agreements; and failed to develop procedures to review information system activity. In lieu of paying civil monetary penalties to HHS, 21CO agreed to a $2.3 million dollar settlement in 2017. The settlement did not bring 21CO out of the woods, however. In 2016, a class action lawsuit was filed against 21CO in Florida federal court. The presiding judge has now given preliminary approval to a settlement proposed by 21CO to resolve the lawsuit.
Class Action Lawsuits and HIPAA
Individuals cannot file a private right of action under HIPAA. That is, HIPAA does not authorize individual lawsuits against covered entities or business associates, where the complaint is a HIPAA violation. However, in many states, individuals can file class action lawsuits for HIPAA violations. This is why class action claims were brought under the laws of the different states in which the plaintiffs reside.
21CO HIPAA Data Breach Lawsuit
In 2016, three proposed HIPAA data breach lawsuits were filed against 21CO. These complaints were consolidated into a single case. In the single class action HIPAA data breach lawsuit, the plaintiffs, 14 individuals filing on behalf of a nationwide class, alleged that 21st Century Oncology:
- Failed to secure patients’ sensitive and confidential data entrusted to them, including full names, Social Security numbers, physicians’ names, medical diagnoses, treatment information, and insurance information.
- Failed to secure, protect, and encrypt the PHI of the 2.2 million individuals, thereby making them vulnerable to misuse of their data.
- Made plaintiffs vulnerable to having fraudulent tax returns filed in their names; to stolen identities; and to medical fraud.
The plaintiffs in this data breach lawsuit alleged the following:
- Negligence;
- Gross Negligence;
- Negligent Misrepresentation;
- Breach of Express Contracts;
- Breach of Implied Contracts;
- Breach of Implied Duty of Good Faith and Fair Dealing;
- Breach of Fiduciary Duty; and
- Invasion of Privacy.
21st Century Oncology Class Action Data Breach Lawsuit Settlement Details
The data breach lawsuit sought damages for breach victims who suffered monetary losses as a result of the breach. Under the terms of the proposed settlement, all breach victims will receive two years of credit monitoring and identity theft protection services. In addition, all victims will be reimbursed for the time they spent attempting to remedy issues, such as identity theft, that were caused by the breach. Reimbursement will be provided for two hours of time, at $20 per hour. If a plaintiff can document that he or she spent time beyond that trying to remedy issues, that plaintiff can submit a claim for up to 13 hours, for a maximum of $260. Individuals who can provide documentation of out-of-pocket expenses incurred because of the breach are entitled to submit a claim of up to $10,000.
While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A Final Fairness Hearing has been scheduled for June 15, 2021.
