Following cyber breach, hundreds join class-action lawsuits against 21st Century Oncology 

UPDATE: Individual lawsuits have since been dismissed and combined with a multi-district lawsuit titled “21^st Century Oncology Consumer Data Security Breach Litigation, Case No. 8:16-md-02737-MSS-AEP”

More than 300 people have joined three separate class-action lawsuits against 21st Century Oncology, claiming the company failed to take adequate security measures in protecting electronic medical records, resulting in a cyber breach exposing them to “substantial financial and other injury and damage.”

Filed in federal court this week, the lawsuits, brought on behalf of three patients, come nearly two weeks after the company announced that medical records of at least 2.2 million current and former patients were illegally obtained through a security breach.

The Fort Myers cancer-care giant said they have no evidence that patient information was misused or that employee data was obtained.

The plaintiffs are asking for more than $15 million from 21st Century, accusing the company of multiple violations including negligence, unjust enrichment and breach of implied covenant of good faith and fair dealing.

A 21st Century spokeswoman said the company does not comment on pending litigation.

The breach is the latest in a series of recent troubles for the company:

• 21st Century agreed to pay nearly $20 million in Dec. 2015 to settle federal allegations of billing Medicare and Tricare for expensive and unnecessary medical tests. Dr. David Spellberg, a Naples doctor named by federal prosecutors as participating in the practice, agreed to pay more than $1 million to settle his involvement in the case.
• Earlier this month, the company agreed to pay nearly $35 million to the federal government to settle a dispute involving training protocols of certain staff in the utilization of a radiation dose calculation system.

Described as the “largest global, physician-led provider of integrated cancer care services,” the company operates 181 treatment centers internationally, including 145 facilities in 17 states.

‘Insufficient’ response

The FBI notified 21st Century of the security breach in Dec. 2015, one month after investigators believe the intrusion occurred, but the company did not notify the Security and Exchange Commission until March 4, according to documents.

Current and former patients did not receive letters about the breach until about a week later, the suit said.

It described the company’s response as “slapdash and ineffective.”

The suit goes on to claims a similar data breach happened between Oct. 2011 and Aug. 2012, resulting in the federal indictment of a 21st Century employee who allegedly provided patient information to a third party.

A separate suit that 21st Century used “inadequate data security practices” to protect patient data and violated federal protocols for protecting medical information.

Confusion, fear

The letters informing patients of the data breach initially confused De De Stubb, who said she never dealt directly with 21st Century.

The company didn’t own any of her physicians’ practices either.

“I have a lot of concerns,” she said Wednesday. “I’ve worked hard to where I am, like many of us, and with our records being potentially compromised, that’s compromises potentially my credit, my identity, many things.”

Stubb described the breach as a personal violation, adding that 21st Century’s response hasn’t been reassuring.

“The damage is done, the records are out there somewhere, we don’t know where,” she said. “It does scare me, and it makes me feel helpless. There’s nothing I can do about this now, and again, I do feel violated.”

For more information from 21st Century Oncology, and for resources for affected patients, visit https://www.21co.com/securityincident.

The attorneys listed on all three class actions are:

Kenneth G. Gilman 
Gilman Law, LLP
Suite 525
8951 Bonita Beach Road, SE
Bonita Springs, FL 34135
239-221-8301