The Office for Civil Rights (OCR) recently published an update on the outcome of the breach investigation surrounding 21st Century Oncology and a breach that occurred toward the end of 2015.

The Florida cancer center chain stated that the FBI notified them of the breach on November 13, 2015.  It affected 2,213,597 people, as the cancer center has 179 treatment centers.

The OCR conducted an investigation and discovered that 21st Century Oncology never conducted a risk assessment to identify possible risks and vulnerabilities to the protected health information (PHI).  Consequently, that meant the cancer center never implemented security measures to reduce those possible risks and vulnerabilities.  21st Century Oncology also never had policies and procedures to review system activity to look for malicious activity.  Finally, the OCR discovered that 21st Century Oncology did not have written business associate agreements with third-party vendors.  All of these are strict requirements for HIPAA compliance.

The cost for this gross negligence:  $2.3 million and a corrective action plan.

However, 21st Century Oncology filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.  According to another source, it appears that the cybersecurity insurance company for 21st Century Oncology will be footing this hefty bill.

The OCR states that the settlement will “resolve OCR’s claims against [21st Century Oncology] and the corrective action plan will ensure that the reorganized entity emerges from bankruptcy with a strong HIPAA compliance program in place. The settlement with OCR was approved by the Bankruptcy Court on December 11, 2017.”

To help protect your health care organization against large breaches and hefty fines, start using the HIPAAgps risk assessment and policy documents today.