Bankrupt provider network on the hook for more than $20 million to DOJ and OCR

A cancer therapy provider network recently reached several multi-million-dollar settlements with federal agencies amidst bankruptcy proceedings.

21st Century Oncology, a national network of cancer providers headquartered in Fort Myers, Florida, came under scrutiny by the Department of Justice (DOJ) and the Office for Civil Rights (OCR) earlier this year. In December, the organization agreed to a $26 million settlement with the DOJ and a $2.3 million settlement with OCR. 21st Century Oncology filed for bankruptcy in May, Reuters reported.

The DOJ settlement stems from allegations that 21st Century Oncology violated the False Claims Act by deliberately falsifying EHR data submitted to CMS to obtain improper EHR Incentive Program payments, according to the DOJ’s December 12 statement. The organization admitted that its employees falsified data on EHR use, created fake software utilization reports, and placed EHR vendor logos on the phony reports in an effort to make them appear legitimate. The settlement also resolves allegations that 21st Century Oncology violated Stark Law by submitting claims for services performed by physicians with which it had improper financial relationships.

21st Century Oncology fell afoul of OCR in 2015, when OCR notified the organization on two separate occasions in November and December that it had become aware the organization experienced a breach of protected health information (PHI). In both instances, OCR did not receive notification from 21st Century Oncology. HIPAA covered entities and business associates (BA) are required to notify OCR of all breaches of PHI. Breaches affecting 500 or more individuals must be reported to OCR no later than 60 days after discovery of the breach. According to the resolution agreement filed on December 11 with the United States Bankruptcy Court for the Southern District of New York, OCR determined that the breach dated back to October 2015 and affected 2,213,597 individuals. OCR’s investigation discovered that 21st Century Oncology failed to comply with a number of core HIPAA requirements. The organization failed to:

• Conduct an accurate, thorough assessment of risks to electronic PHI
• Implement reasonable and appropriate security measures to reduce risks to PHI
• Obtain a BA agreement before disclosing PHI to a BA
• Regularly review records of system activity including audit logs and security incident tracking reports

OCR, unlike the DOJ, did not release a press statement regarding the settlement and did not post information regarding the settlement or resolution agreement to its list of resolution agreements.