Fresenius Medical Care North America (FMCNA), which operates health care facilities throughout the nation, has settled for $3.5 million for a series of five breaches it reported in 2012. This was the first settlement of the year announced by the Office for Civil Rights (OCR), which enforces HIPAA breach violations.

$3.5-million-hipaa-settlementHeadquartered in Waltham, Mass., FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

The five separate breaches included:

  • The theft of two desktop computers in Florida containing the ePHI (electronic protected health information) of 200 patients
  • The theft of an unencrypted thumb drive from an employee’s car in Alabama containing information for 245 patients
  • The misplacement or theft of a hard drive containing 45 patients’ ePHI that was being replaced at a facility
  • The theft of an unencrypted laptop in Georgia containing 10 patients’ health data
  • The theft of three desktop computers, one of which contained information on 31 individuals

As part of the settlement, FMCNA must undergo a risk analysis and implement a risk management and encryption protocol, as well as educate all employees.

FMCNA issued a statement, which reads:

We take the protection of our patients’ health information very seriously. It is a top priority for our company and a critical issue facing the entire healthcare industry. We recently entered into a settlement agreement with the US Department of Health & Human Services Office for Civil Rights to informally resolve alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.