Cancer Center Chain: Hacker Attack Affects 2.2 MillionFBI Notified 21st Century Oncology of Incident
A Florida-based chain of cancer treatment centers is notifying 2.2 million individuals of a hacker attack that potentially compromised their protected health information.
In a March 4 statement, 21st Century Oncology, says that on Nov. 13, 2015, the FBI notified the company "that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database." It revealed the number affected in a Securities and Exchange Commission filing.
The company says it immediately hired a forensics firm to support its investigation, assess systems and bolster security. "The forensics firm determined that, on Oct. 3, 2015, the intruder may have accessed the database, which contained information that may have included patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, and insurance information. We have no evidence that any medical records were accessed."
21st Century Oncology, based in Fort Myers, Florida, operates 181 cancer treatment centers, including 145 in 17 U.S. states and 36 in seven countries in Latin America.
In a March 4 8-K form filing with the Securities and Exchange Commission, 21st Century Oncology adds that it is notifying current and former patients "that certain information may have been copied and transferred ... [although] the company has no indication that patient information has been misused in any way."
The company says in the SEC filing that the FBI asked that the company delay notification or public announcement of the incident until March 4, 2016 "so as not to interfere with its investigation. Now that law enforcement's request for delay has ended, the company is notifying patients and regulatory agencies as quickly as possible."
The healthcare provider says in the filing that it continues to work closely with the FBI on its investigation and hints about the potential financial impact of the incident.
"In addition to security measures already in place, the company has also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future. While the company has contingency plans and insurance coverage for certain potential liabilities relating to the intrusion, the coverage may not be sufficient to cover all claims and liabilities. The company will be responsible for deductibles and any other expenses that may be incurred in excess of insurance coverage. The company will recognize these expenses in the periods in which they are incurred."
21st Century Oncology is offering one year of free identity theft protection services to potentially affected patients.
Other Hacker Breaches
As of March 7, the 21st Century Oncology incident did not yet appear on the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of breaches affecting 500 or more individuals.
During the HIMSS 2016 Conference in Las Vegas last week, Deven McGraw, OCR deputy director of information privacy, acknowledged that although hacker attacks still only account for a small percentage of the breaches that appear on the wall of shame, "the number of records affected by hacking [breaches] is now ahead of theft and loss" of unencrypted computing devices and storage media by far.
A March 7 snapshot of the wall of shame shows that of the total 1,482 incidents listed that affected a total of 155.4 million individuals since September 2009, there have been 160 breaches involving "hacking/IT incidents," affecting 115.6 million individuals.
Nearly 100 million individuals affected by those hacker breaches were victims of only a handful of incidents reported last year by health plans. The largest was a cyberattack on Anthem Inc., which affected nearly 79 million individuals.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine predicts more major hacker attacks will hit the healthcare sector.
"This is likely a continuation of the trend that we saw last year," he says. "While we will still see a significant number breaches involving 500 or more individuals caused by unencrypted laptops or other information security issues, I think the big headlines will continue to be large breaches caused by outside hackers, possibly from state-sponsored hacker groups."
Learning from Third Parties
During the HIMSS16 Conference, security experts said it's common for the FBI and other third parties to be the bearer of bad news informing healthcare organizations that they are victims of breaches, as was the case in the 21st Century Oncology incident.
Kurt Long, CEO and founder of Fairwarning, a security product vendor, told attendees at one HIMSS security session that in nearly 70 percent of breaches involving PHI, "it's the FBI, local police or a patient that's reporting the breach to the healthcare organization. ... That's the new reality we're living in."
Greene points out: "I am pretty confident that for every hack that is identified, there are likely one or more others that are currently under investigation. All healthcare providers, especially larger ones, need to be aware that the risk of hacking is significantly on the rise, and should be prepared for an unpleasant call from law enforcement identifying that they have been hacked. There is a good chance that hackers are already in your system, and your focus should turn to not only protecting your perimeter but also identifying hackers within your network and limiting their ability to remove data."
Dan Berger, CEO of security consulting firm Redspin, says the incident involving 21st Century Oncology could prove to be linked to cyberattacks on other organizations.
"This would indicate to me that the FBI was likely investigating another incident and found evidence that 21st Century's database had been accessed illegally," he says. "Law enforcement often requests a delay in making breach information public during their investigation so as to not tip off hackers that they are on their trail."