21st Century Oncology, Inc. (21CO), a Florida-based cancer care service provider, agreed to pay $2.3 million to settle potential HIPAA violations.
In 2015, the Federal Bureau of Investigation notified 21CO that patient information was obtained illegally by a third party and patient files were purchased by an FBI informant. 21CO reviewed the issue and determined that the attacker may have accessed its network SQL database through the remote desktop protocol in an exchange servicer within the 21CO network. 2,213,597 individuals were affected with impermissible access to names, social security number, physicians names, diagnoses, treatment and insurance information.
The Office of Civil Rights determined that 21CO failed to conduct a thorough assessment of potential risks and vulnerabilities to the information and failed to impellent security measures. It also disclosed PHI to third party vendors without a written business associate agreement.
21CO entered into a $3.2 million settlement and corrective action plan. The resolution agreement and corrective action plan may be accessed by clicking here.