Cancer care provider 21st Century Oncology has agreed to pay the HHS $2.3 million to settle allegations that it didn't implement proper protocols to protect patient information from hackers.
The settlement announced Dec. 28 stems from a federal investigation that found hackers stole the information of more than 2.2 million 21st Century Oncology patients in 2015. The stolen information included Social Security numbers, physicians' names, diagnoses and insurance information, according to the FBI.
A subsequent investigation by the HHS' Office for Civil Rights found that 21st Century Oncology failed to implement sufficient security measures to protect patient information. The provider also didn't properly review its information system regularly to ensure the data was protected.
"Since the criminal intrusion into one of our databases, we have invested in upgrading and improving our privacy safeguards and security systems," 21st Century Oncology said in a statement. "We will continue to work diligently on maintaining best in class security measures to ensure all of our databases are fully protected going forward."
21st Century Oncology has settled allegations with the federal government multiple times. In March 2016, it paid a reported $35 million to settle Justice Department claims that it knowingly billed the government for tests that were not medically necessary and not actually provided.
The Fort Myers, Fla.-based provider also filed for Chapter 11 bankruptcy in early 2017 after several years of falling revenue coupled with multimillion-dollar settlements.
Along with the $2.3 million payout, 21st Century Oncology is required to complete a risk analysis and risk assessment plan, revise policies and procedures, educate its workforce on patient protection and submit to the Office for Civil Rights all business agreements.
"People need to trust that their private health information will remain exactly that, private," Roger Severino, director of the Office for Civil Rights, said in a news release. "It's not just my hope that covered entities will learn from this example and proactively find and address their security risks, it's what the law requires."
21st Century Oncology operates 179 cancer centers, including 143 centers in 17 states and 36 centers in Latin America.