At the end of 2015, the FBI discovered a breach of 21st Century Oncology’s database affecting more than 2 million patients.

In accordance with the HIPAA requirements for reporting large breaches, Century Oncology recently posted a media statement on the organization’s website to address the breach. The Florida-based oncology chain “operates 181 cancer treatment centers, including 145 in 17 U.S. states and 36 in seven countries in Latin America,” according to Healthcare Info Security article.

The Florida cancer center chain admitted that the FBI notified them of the breach on November 13, 2015, and that they were advised not to post a media report on the incident until later so as not to impede the investigation.  In their media statement, 21st Century Oncology stated that a forensics firm was also consulted to aid in the investigation and to help the organization protect their networks for the future.  The firm discovered that the intruder may have accessed the 21st Century Oncology database on October 3, 2015.  This database contained Protected Health Information, including social security numbers, diagnosis and treatment information, and insurance information.

Although 21st Century Oncology does not believe the information was misused, the organization is implementing a free one-year, credit-protection service for affected patients. The cancer center chain also suggests patients regularly review their insurance explanation of benefits to ensure there is no fraudulent activity. If anything unusual is found in those statements, patients were instructed to call their insurance provider immediately.

This is another example of how breaches are here to stay.  Health care organizations will have to work diligently to stay ahead of would-be hackers.  These organizations will need to conduct risk assessments and implement newer and better network protections and log monitoring.  The log monitoring is important because, currently, many organizations are notified of a suspected breach externally.  With log monitoring, an organization has the capability of seeing who accesses certain files, including PHI.  This monitoring can produce flags for possible inappropriate access, such as the case of a malicious actor hacking into the organization’s network for information.

One of the biggest implications of a breach for health care organizations is the loss of trust and therefore revenue.  Organizations claim that protecting patient information is one of the foremost tasks, yet when a breach happens, the organization loses some of that trust.  Then, if patients learn that the organization didn’t know about the breach at the time it occurred, patient trust is even more difficult to maintain.  Suddenly, the organization is not only dealing with potential fines, but lost revenue from patients seeking care elsewhere.

Many health care organizations think they are immune to breaches, and then they end up in a serious breach situation like 21st Century Oncology is in now.  Health care organizations need to take this seriously. Don’t risk losing the trust and loyalty of your patients; start addressing the HIPAA requirements and security standards today.

If you’d like to get started addressing HIPAA, click here to start our free trial today!