HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals.

21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016.

The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in December 2017 with no admission of liability and agreed to pay a $2.3 million penalty.

The class action lawsuit sought compensation for breach victims who suffered losses as a result of the breach, including reimbursement of out-of-pocket expenses, time spent attempting to remedy issues, and losses to identity theft and fraud.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the proposed settlement, all victims of the breach will be entitled to claim two years of credit monitoring and identity theft protection services through Total Identity, which may be deferred for up to two years.

In addition, the 21st Century Oncology settlement will see breach victims reimbursed for default time spent remedying issues fairly traceable to the data breach, which is based on two hours at $20 per hour up to a maximum of $40. Alternatively, a claim can be made for documented time spent, up to 13 hours at $20 per hour to a maximum of $260.

Any individual who can provide proof of out-of-pocket expenses incurred as a result of the breach or documented fraud will be entitled to submit a claim up to $10,000.

All individuals notified about the breach in or around March 2016 are covered by the settlement and can submit a claim. The deadline for claiming is May 10, 2021. Any class member who wishes to object or exclude themselves from the settlement have until March 9, 2021 to do so.

While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A fairness hearing has been scheduled for June 15, 2021.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.