In October 2015, an unknown attacker compromised the patient database of 21st Century Oncology Holdings — the largest radiation oncology treatment chain in the United States, operating approximately 180 treatment centers. The FBI discovered the breach during an investigation unrelated to 21st Century Oncology and notified the company. 21st Century Oncology was asked by the FBI not to disclose the breach publicly for several months to avoid jeopardising the investigation. The breach was eventually disclosed in March 2016, approximately five months after initial FBI notification. Approximately 2.2 million patient records were exposed including names, Social Security numbers, dates of birth, physician names, diagnoses, treatment information, and insurance information. HHS OCR opened a HIPAA investigation. Separately, the company also discovered a second, smaller breach in 2016. 21st Century Oncology subsequently filed for Chapter 11 bankruptcy in 2017, citing in part the costs of data breach litigation and remediation. Multiple class-action lawsuits were consolidated. The delayed disclosure — made at the FBI’s request — created tension between law enforcement investigation needs and HIPAA’s 60-day breach notification requirement, highlighting a recurring challenge in healthcare cybersecurity incidents involving law enforcement investigations.