Fresenius Medical Care hit with $3.5M fine for 2012 breaches
The HHS Office for Civil Rights has fined Fresenius Medical Care North America $3.5 million and imposed a corrective action plan that the organization must adopt after the company had five data breaches in five months in 2012.
Fresenius Medical is a major vendor of products and services for individuals suffering from chronic kidney failure with more than 60,000 employees serving 170,000 patients.
In January 2013, Fresenius Medical filed five data breach reports for five separate breach incidents related to the theft of computer equipment that happened between February 23 and July 18, 2012. The breaches occurred in five locations—in Alabama, Arizona, Georgia and two sites in Florida.
As OCR investigated the reports, the agency learned that the company had not conducted an accurate and thorough risk assessment on potential risks and vulnerabilities of its electronic protected health information.
OCR recently started ramping up privacy and security rule enforcement, reporting multiple sanctions against other HIPAA-covered entities. The agency has warned the industry that risk assessments is a core requirement for healthcare organizations tasked with effective protection of patient information.
In its complaint against Fresenius, OCR charged that various sites within the Fresenius Medical enterprise failed to implement policies and procedures to address security incidents; to govern receipt and removal of hardware and electronic media containing ePHI in and out of a facility; to safeguard equipment from unauthorized access, tampering and theft; and failure to encrypt and decrypt ePHI when appropriate.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” says OCR director Roger Severino.
The corrective action plan requires all five covered entities to complete a risk analysis and risk management plan; revise policies and procedures on devices, media controls and facility access controls; develop an encryption report; and educate the workforce.
Regarding the OCR settlement, Fresenius Medical Care North America issued a statement that said, “We take the protection of our patients’ health information very seriously. It is a top priority for our company and a critical issue facing the entire healthcare industry. We recently entered into a settlement agreement with the US Department of Health & Human Services Office for Civil Rights to informally resolve alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”
The resolution agreement and corrective action plan can be found here.