We previously reported [view related post] that 21st Century Oncology had suffered a data breach and notified 2.2 million patients that it had been the victim of a hacking that exposed the names, Social Security numbers, physicians’ names, diagnosis information, and insurance information of its patients.
Although the intrusion occurred in October 2015, 21st Century claimed it was unaware of the breach until the FBI notified it on November 13, at which time 21st Century announced that it had delayed notifying the patients until early March at the request of the FBI, which was investigating the intrusion.
Despite the request of law enforcement to delay notification, which is allowed in virtually all state breach notification laws and HIPAA, 21st Century was sued in a putative class action suit in federal court in Florida that alleges that 21st Century violated the Fair Credit Reporting Act and the Florida Deceptive and Unfair Trade Practices Act by failing to detect the intrusion, and further, by withholding the information from the patients. The patients allege that they should have been alerted sooner so they could protect themselves.
We expect that the plaintiffs’ claims that 21st Century should not have heeded the FBI’s request to delay notification, particularly in view of state law provisions that specifically allow such a delay, will be vigorously defended