HHS OCR Announces a $2.3 Million HIPAA Settlement Bringing the Agency’s Settlement Total for 2017 to Over $19 Million

On December 28th, the Department of Health and Human Services Office of Civil Rights (OCR) announced a $2.3 million settlement with 21st Century Oncology Inc. (21st Century) to settle potential violations of the HIPAA privacy and security rules. The settlement, the ninth settlement announced by OCR in 2017, was the first settlement announced by OCR since May. The 21st Century settlement brings OCR’s settlement total for 2017 to more than $19 million.

21st Century provides cancer care and radiation oncology services in 17 states and seven countries in Latin America. According to OCR, 21st Century was notified on two separate occasions in 2015 that patient information for 21st Century was being obtained illegally by an unauthorized third party. 21st Century’s investigation found that unauthorized persons may have accessed a company database through a remote desktop protocol from an exchange server within the company’s network. The breach affected over 2.2 million individuals, exposing names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information.

OCR’s investigation of the breach determined that 21st Century failed to conduct an accurate and thorough risk assessment and failed to implement sufficient security measures to reduce risks to the electronic protected health information held by the company to a “reasonable and appropriate level.” OCR also found that 21st Century failed to implement procedures to regularly review audit logs, access reports, security incident tracking reports and other records of activity occurring through its information systems. Finally, OCR found that the company disclosed protected health information to third party service providers without written business associate agreements in place. In addition to the monetary settlement, 21st Century agreed to a two-year corrective action plan that requires it to undertake measures including the conduct of a complete a risk analysis and implementation of risk management plan, as well as requiring the company to revise policies and procedures, educate its workforce, and obtain the necessary business associate agreements.

While the pace with which OCR announced settlement actions slowed slightly in 2017 compared to the agency’s pace in 2016 (9 settlements this year versus 12 settlements in 2016), December’s $2.3 million settlement with 21st Century is a reminder that, even with the change in Administration, OCR continues to be willing to demand substantial sums from organizations as a result of HIPAA violations. The 21st Century settlement also signals that OCR will continue to be willing look beyond the facts that gave rise to the breach or other event that brings a company to its attention to assess potential noncompliance with other aspects of the HIPAA rules. Risk assessments and steps taken to remediate risks posed in those assessments are recurring areas OCR identifies in settlements, as well as other areas of potential noncompliance, such as lacking necessary business associate agreements. The failure to adequately monitor network activity and logs is another recurring theme in data breach settlements. Organizations would be wise to continue to assess their compliance in these areas and train their workforces accordingly.