21st Century Oncology Patients Seek Damages After PHI Exposure
Earlier this month, 21st Century Oncology reported a hacking incident that resulted in the exposure of 2,213,597 individuals’ protected health information (PHI).
The security breach, which was discovered by the FBI in November last year, exposed patients’ Social Security numbers, health information, and insurance data. All affected patients were offered a year of credit monitoring and protection services without charge.
According to the 21st Century Oncology’s substitute breach notice, in the four months since the discovery of the data breach, no evidence has been uncovered to suggest data have been used inappropriately.
Four Class-Action Lawsuits Filed in the Past 3 Weeks
Three weeks have passed since the announcement of the data breach and already four class action lawsuits have been filed against 21st Century by patients affected by the breach. Damages of $15 million are currently being sought for the failure to protect patients’ data from unauthorized access. The cancer care provider has also been accused of unjust enrichment, breach of implied covenant of good faith and fair dealing, and negligence.
One of the lawsuits was filed by a Florida resident who described the breach response of 21st Century Oncology as being “slapdash and ineffective.” She maintained that the provision of only one year of credit monitoring and credit protection services was “wholly insufficient,” and claimed the delay in issuing breach notification letters caused patients to come to harm.
Another lawsuit, filed by John Dickman, alleged “inadequate data security practices” and violations of federal laws covering the protection of Protected Health Information.
Since the lawsuits were filed, more than 300 patients have added their name to the lawsuits.
What Does HIPAA Say about Breach Notification Letter Delays?
The issuing of breach notification letters was allegedly delayed at the request of the FBI so as not to interfere with the investigation. Those notification letters started to be received by patients in early March; almost four months after patients’ PHI had been compromised. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to notify patients of a breach of their PHI within 60 days of the discovery of the breach, although those letters should be issued “without unreasonable delay.”
However, HIPAA Rules do permit covered entities to delay the issuing of breach notifications at the request of law enforcement, although it is unusual for notifications to be delayed for as long as 4 months.
The Department of Health and Human Services’ Office for Civil Rights investigates all reported breaches of PHI that affect more than 500 individuals. In cases where HIPAA rules appear to have been violated, a compliance review often takes place. Should that review determine that HIPAA Rules have been violated, civil monetary penalties can be issued.
The penalties for HIPAA violations can be considerable. OCR can fine covered entities up to $1.5 million per violation category, per calendar year.
Federal regulations require HIPAA covered entities to implement safeguards to protect PHI. However, covered entities cannot be expected to prevent all breaches of PHI. If OCR conducts a review, investigators will attempt to determine whether appropriate administrative, physical and technical safeguards were put in place to ensure the confidentiality, integrity, and security of ePHI.”
The outcome of these lawsuits is also likely to depend on whether the safeguards put in place by 21st Century to protect patient PHI were reasonable under the circumstances.