21st Century Oncology, a Florida-based chain of 181 cancer treatment centers in the US and Latin America, announced earlier this month that an unauthorized intrusion into one of its databases may have exposed patient information.
In a Securities and Exchange Commission filing, the clinic said it is notifying approximately 2.2 million current and former patients whose names, Social Security numbers, physicians’ names, diagnoses and treatment information, as well as insurance information may have been accessed.
According to a statement made on March 4, 21st Century Oncology said the FBI notified the clinic on Nov. 13, 2015, that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database.
“We immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security,” said the clinic.
Based on the investigation, the forensics firm determined that the intrusion occurred on Oct. 3, 2015. However, the clinic said it was asked by the FBI to delay notification or public announcement of the incident until March 4, 2016, “so as not to interfere with its investigation.”
“Now that law enforcement’s request for delay has ended, we are notifying patients as quickly as possible,” the clinic said. “We continue to work closely with the FBI on its investigation of the intrusion into our system.”
Furthermore, the clinic noted it has taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.
Although there’s currently no indication that any of the data has been misused, the clinic added that it will offer affected individuals one year of identity theft protection services.
“We also recommend that patients regularly review the explanation of benefits that they receive from their health insurer. If they see services that they did not receive, please contact the insurer immediately,” said 21st Century Oncology.