Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Cancer Center Chain Faces Multiple Breach Lawsuits

Legal Experts Size Up Cases Against 21st Century Oncology
Cancer Center Chain Faces Multiple Breach Lawsuits

At least seven class-action lawsuits have been filed against 21st Century Oncology, which recently reported a hacker attack that compromised the data of 2.2 million individuals.

See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises

The suits allege, among other things, that the company, which operates 181 cancer treatment centers, took inadequate security steps to protect data. But those filing the suits may have an uphill climb, some legal experts say, based on the outcomes of other cases making similar claims.

The company violated the Federal Trade Commission's Fair Credit Reporting Act and also the Florida Deceptive and Unfair Trade Practices Act, the suits allege. Other claims include breach of contract, unjust enrichment, negligence and invasion of privacy.

The lawsuits, which seek unspecified monetary, punitive and actual damages and/or restitution, will likely end up being consolidated, as is often the case when many suits are filed against an organization that's had a data breach.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says winning a case based on allegations of FCRA violations will prove challenging.

"This is not the first time that a plaintiff has alleged that a health information breach violated the FCRA," he says. "Last September, a U.S. Court of Appeals in Illinois dismissed a claim that Advocate Health violated the FCRA based on its data breach, finding that Advocate Health was not subject to the FCRA because it was not a 'consumer [credit] reporting agency.' While that decision is not binding on the court in this lawsuit, there is a good chance that the suit's FCRA claim will similarly fail."

One of the suits against 21st Century Oncology notes that "FCRA requires any business that shares data for consumer credit reporting purposes to maintain reasonable procedures designed to limit the furnishing of data to the purposes listed in the statute." Under FCRA, a person who receives medical information "shall not disclose such information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute," the lawsuit notes.

That lawsuit claims that, according to the company's notice of privacy practices, "21st Century Oncology collects and shares personally identifiable information and protected health information for purposes of collecting payment from insurers or third-party payers, subjecting it to the FCRA's requirements to safeguard PII and PHI and limit unauthorized disclosures."

Breach Details

21st Century Oncology first disclosed the breach affecting more than 2 million individuals in a March 4 filing with the Securities and Exchange Commission. The incident is also now listed on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website of health data breaches affecting 500 or more individuals.

In a separate March 4 statement, 21st Century Oncology said that on Nov. 13, 2015, the FBI notified the company "that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database." The company says it immediately hired a forensics firm to support its investigation, assess systems and bolster security. "The forensics firm determined that, on Oct. 3, 2015, the intruder may have accessed the database, which contained information that may have included patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, and insurance information. We have no evidence that any medical records were accessed."

Company Responds

In a statement to Information Security Media Group, 21st Century Oncology says, "as a company policy, we do not comment on pending litigation."

But the statement notes: "In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future."

The company addressed the litigation in an 8-K filing with the SEC on March 25.

"In connection with the data breach previously disclosed ... the company received notice that class action complaints have been filed against the company. The complaints allege, among other things, that the company failed to take the necessary security precautions to protect patient information and prevent the data breach. Due to the inherent uncertainties of litigation, we cannot predict the ultimate resolution of these matters or estimate the amounts of, or ranges of, potential loss, if any, with respect to these proceedings."

The company's SEC filing adds that it has insurance coverage and contingency plans for certain potential liabilities relating to the data breach. It also notes, "Nevertheless, the coverage may be insufficient to satisfy all claims and liabilities ... and the company will be responsible for deductibles and any other expenses that may be incurred in excess of insurance coverage."

'All Over the Map'

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the litigation against 21st Century Oncology "is a perfect example of the kind of all-over-the-map class action complaints that we are seeing where there is some kind of security breach. These are creative, free-wheeling and highly imaginative claims designed to overcome two substantial hurdles in these cases - a relevant cause of action that is meaningful when applied to a class, coupled with actual damages."

Regarding allegations of breach of contract and unjust enrichment, one of the complaints notes, "Plaintiffs paid money to 21st Century Oncology and/or their insurers for medical services. Accordingly, plaintiffs and class members paid 21st Century Oncology to securely maintain and store their PII and PHI. 21st Century Oncology violated its contracts ... by failing to employ reasonable and adequate security measures to secure Plaintiffs' and Class members' PII and PHI."

That lawsuit adds: "21st Century Oncology has retained the benefits of its unlawful conduct including the amounts received for data and cybersecurity practices that it did not provide. ... Plaintiffs and the class members are entitled to full refunds, restitution and/or damages from 21st Century Oncology."

A similar argument related to unjust enrichment was made in a class-action lawsuit against health plan AvMed, which was settled in 2013 with some class members essentially getting refunds for portions of their paid premiums that they argued should've been spent by AvMed on data security.

"While most data breach class actions get dismissed due to a lack of harm or damages, this unjust enrichment theory is one of the few to have had any success, leading to a substantial settlement in the AvMed suit," Greene notes.

A key difference, Greene says, is that the AvMed case involved regular premium payments by members to their health plan, while the 21st Century Oncology case involves payments by patients for specific services rendered by the healthcare provider.

"While the court in the AvMed case was willing to entertain the idea that some portion of premium payments properly go toward information security, another court might be less inclined to find that payments for specific healthcare services should be treated similarly," Greene says.

Similarly, Nahra is doubtful the unjust enrichment argument will succeed in the 21st Century Oncology litigation. "This allegation that 'some unknown percentage of my payment to you was for data security and I deserve it back' is creative, but has not been successful and is not actually a subject of any kind of negotiation in any meaningful commercial sense."

While the lawsuits against 21st Century Oncology so far do not appear to allege that the plaintiffs have been victims of identity theft resulting from the breach, the various complaints contend that the hacker incident puts affected individuals at risk for ID theft and fraud, and other crimes, such as tax fraud.

Looking Ahead

The courts have dismissed most breach-related class-action lawsuits based on a lack of proof of harm, although plaintiffs have prevailed in a handful of cases, including AvMed, Greene notes. But lawyers continue to file lawsuits in hopes of turning the tide.

"A case in the Supreme Court, Spokeo, is closely being watched on this issue, as the Supreme Court potentially could break the dam wide open."

In that case, Spokeo vs. Robins, the high court is expected to decide, possibly this year, if websites, search engines and others that amass personal information from public sources could be sued under federal law for publishing inaccurate information, even if the errors do not cause the plaintiff actual harm.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.