MANATEE -- As of Thursday, four class-action lawsuits have been filed in the U.S. District Court against Fort Myers-based 21st Century Oncology for failure to adequately protect patient data. The plaintiffs in total are seeking $15 million in relief.
The FBI notified 21st Century Oncology of a data breach on Nov. 13. Based on an internal investigation conducted by a forensics firm hired by 21st Century Oncology, the company determined "the intruder may have accessed the database on Oct. 3, 2015," according to the company's 8-K filed with the Securities and Exchange Commission on March 4.
The hacker, if successful, was able to see patients' personal information, including names, social security numbers, physicians' names, diagnoses, treatment information and insurance information.
"Millions of 21st Century data breach victims have lost control of sensitive information that endangers their financial, medical and emotional well-being for the rest of their already-burdened lives," said the complaint filed on March 21 on behalf of Rona Polovoy, a Florida resident. Polovoy's county of residence was not specified in the lawsuit documents. In the 8-K, 21st Century Oncology announced its intentions to provide notice of the data hack to "individuals that may have been affected
by the incident and offering one year of complimentary identity protection services to those individuals."
About 2.2 million people could be members of the designated class, according to a complaint filed on March 23 on behalf of plaintiffs Jim Bimonte and Mary Ann Rodriguez. Bimonte is a resident of Broward County and Rodriguez lives in Palm Beach County. The other suits were filed on behalf of Lee County resident John Dickman and Stuart Kaplan, a Florida resident with no specified county in the suit documents.
According to the Department of Health and Human Services Web page on data breach notification, "individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach." The notification must include information about the breach, steps individuals should take for protection and what the breached agency is doing to investigate and prevent future hacks.
According to 21st Century Oncology's 8-K, the FBI asked the company to "delay notification or public announcement of the incident until today (March 4) so as not to interfere with its investigation."
To notify patients of the breach 21st Century Oncology sent individual letters and made an announcement on its website, emphasizing "patient care will not be affected by this incident."
"In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future. 21st Century remains committed to maintaining the privacy and security of our patients' personal information," the company said in a statement Thursday.
Not its first breach
According to exhibits filed in Polovoy's case, the 2015 breach is not the first time 21st Century Oncology has experienced issues with cybersecurity.
Between Oct. 11, 2011, and Aug. 8, 2012, a 21st Century Oncology Services Inc. employee accessed patient personal information and was later criminally charged. According to the Polovoy case documents, the employee "used it and/or intended to use it in order to file fraudulent tax returns with the Internal Revenue Service."
Filing fraudulent tax returns, emptying bank accounts, opening new utility accounts, seeing doctors under a stolen identity and filing false claims with insurance companies are some examples of how identity thieves may use stolen information.
The 21st Century Oncology statement on the breach said it has no indication that patient data was misused. The "HIPAA Notice of Privacy Practices" link on the 21st Century Oncology website is no longer active.
The class-action suits follow two 21st Century Oncology settlements in other cases.
In December, 21st Century Oncology agreed to pay the federal government $19.75 million based on allegations regarding billing of federal health care programs for medically unnecessary laboratory tests.
In early March, 21st Century Oncology agreed to pay $34.7 million to settle a Medicare fraud lawsuit involving Florida offices. Both suits were instigated by information from whistle-blowers.
The cancer care center was established more than 30 years ago and operates 145 offices in 17 states.