21st Century Oncology, a Fort Myers, Florida-based healthcare provider specializing in cancer care, has announced that a hacker has gained access to the sensitive protected health information of 2.2 million of its patients.
The Federal Bureau of Investigation alerted 21st Century Oncology to a potential intrusion by an unauthorized third party on November 13, 2015, although the intrusion first occurred more than a month earlier on October 3, 2015.
Upon discovery of the intrusion, the FBI launched an investigation and requested that 21st Century Oncology delay the announcement of the breach until March 4, 2016 so as not to interfere with the investigation. Breach notification letters to patients were similarly delayed, although letters are now being mailed to all affected individuals to alert them to the potential exposure and theft of their protected health information. All individuals affected by the breach have been offered a year of identity theft protection services without charge.
21st Century Oncology has told patients that the cyberattacker may have viewed and copied their names, physicians’ names, health insurance information, Social Security numbers, and details of their diagnoses and treatments. The investigation into the breach is continuing, although at this stage no evidence has been uncovered to suggest that any data have been used inappropriately.
An external computer forensics firm was hired to assist with the internal investigation and to secure its systems and improve security.
Access to the company’s database has now been blocked and additional security measures have been adopted to prevent cyberattackers from gaining access to patient data.
The 21st Century Oncology data breach impacts patients from all over the United States. The company operates 145 medical centers in the United States in Alabama; Arizona; California; Florida; Indiana; Kentucky; Maryland; Massachusetts; Michigan; Nevada; New Jersey; New York; North Carolina; Rhode Island; South Carolina; Washington; and West Virginia. 21st Century Oncology also operates 36 centers in Latin America.
Earlier this week, the U.S Department of Justice announced a $34.7 million settlement had been reached with 21st Century Oncology for performing medical procedures that served no medical purpose. The tests were billed to Medicare and Tricare. Patients had been subjected to procedures called gamma functions, which measured radiation levels after medical treatments. The company started performing these tests in 2009.