One of the nation's largest dialysis providers has agreed to a $3.5 million settlement with the Office for Civil Rights for five separate data breaches that occurred in 2012.
Fresenius Medical Care of North America, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to the settlement after an OCR investigation revealed the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012.
The breaches, which were reported in 2013, were all linked to some version of theft, according to a resolution agreement (PDF). In Florida and Illinois, desktop computers containing patient information were stolen from two facilities. In Alabama, an unencrypted USB drive was stolen from an employee's care. In Arizona, a hard drive containing patient information was missing from a desktop computer that was taken out of service.
All told, the breaches impacted just 521 patients. But OCR’s investigation, launched in 2013, found that Fresenius facilities repeatedly failed to implement policies and procedures to safeguard equipment from theft or encrypt patient information. It marks the first HIPAA settlement of 2018 and comes months after 21st Century Oncology paid $2.3 million for a 2015 data breach.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino said in an announcement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Fresenius has been implicated in several other investigations over the past several years including an investigation by the Department of Justice over a premium assistance program and an inquiry from the Kentucky Attorney General regarding potential fraud.
In addition to the fine, Fresenius has entered a corrective action plan requiring it to conduct and submit to the Department of Health and Human Services “an accurate and through assessment of the potential security risks.” The company is also required to review and revise existing security procedures, implement a risk management plan, submit an encryption report and revise policies on device and media controls.