21st Century Oncology Data Breach Settlement Gets Preliminary Approval

The court has given preliminary approval of a settlement proposal by 21st Century Oncology to take care of a November 2020 class-action lawsuit. The class-action lawsuit was submitted in District Court for the Middle District of Florida in support of victims of a 2015 cyberattack that potentially affected 2.2 million people.

The Federal Bureau of Investigation informed 21st Century Oncology regarding a breach of its systems on November 13, 2015. An unauthorized individual had acquired access to its network and potentially viewed or gained access to one of its databases on October 3, 2015. The database held patients’ names, diagnoses, treatment details, insurance data, and Social Security numbers. Notification letters to impacted persons were late at the request of the FBI so as not to get in the way of the investigation. Patients affected by the breach started receiving notifications in March 2016.

The Department of Health and Human Services’ Office for Civil Rights began a breach investigation and discovered possible HIPAA violations. 21st Century Oncology settled the case in December 2017 without admitting liability and agreed to pay a $2.3 million penalty.

The class-action lawsuit wanted breach victims to be compensated for experiencing losses due to the incident, such as repayment of out-of-pocket costs, time spent trying to remedy problems, and losses incurred because of identity theft and fraud.

Under the conditions of the proposed settlement, all breach victims will be qualified to claim credit monitoring and identity theft protection services through Total Identity for two years, which may be deferred for up to two years.

Furthermore, the 21st Century Oncology settlement deal will see breach victims repaid for default time spent fixing problems reasonably traceable to the data breach, which is centered on two hours at $20 each hour to a maximum of $40. On the other hand, a claim could be made for recorded time spent, up to 13 hours at $20 every hour to at most $260.

Any person who could present proof of out-of-pocket expenditures suffered due to the breach or documented fraud can be eligible to submit a claim to a maximum of $10,000.

All people informed concerning the breach in or around March 2016 are covered by the settlement and may present a claim. The deadline for claiming is May 10, 2021. Any class member who would like to protest or exclude themselves from the settlement deal has up to March 9, 2021 to do this.

Although the court has given the initial approval of the proposed settlement, final approval is not yet granted. A fairness hearing is slated for June 15, 2021.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA