A large provider of products and services to people with chronic and acute kidney disease has agreed to pay $3.5 million to the federal government after five separate low-tech data breaches in 2012, the U.S. Department of Health and Human Services has announced.
In addition to the monetary settlement, Fresenius Medical Care North America agreed to adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security rules that were identified by HHS's Office for Civil Rights.
Fresenius is a German-based company with a North American unit that serves more than 170,000 patients in the United States through a network of dialysis facilities and outpatient lab.
|Breach of electronic protected health info
The company reported five separate incidents that occurred between February and July 2012 that breached electronic protected health information of patients at five of its facilities. The incidents involved the theft or loss of laptop and desktop computers or USB drives storing confidential patient data.
An ensuing investigation found that the facilities failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the data, and impermissibly disclosed patients' protected information by providing unauthorized access for a purpose not permitted by HIPAA, according to HHS.
OCR Director Roger Severino said in a statement, "The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law."
A Fresenius North America spokesman said that there is no evidence that any of its patients' health information was improperly accessed or misused. The settlement is not an admission of any HIPAA violation, the statement said.
"We take the protection of our patients' health information very seriously," the statement continued. "It is a top priority for our company and a critical issue facing the entire health care industry. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft."
According to HHS, the breaches occurred at Fresenius facilities in Jacksonville, Florida; Semmes, Alabama; Maricopa, Arizona; Augusta, Georgia; and Blue Island, Illinois.
|Corrective action plan
The corrective action plan requires the facilities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, and to develop an encryption report and educate its workforce on policies and procedures, HHS said.
Related: Get ready: A cyber attack is coming
Kristen Rasmussen ([email protected]) is an Atlanta-based reporter for our sister publication, Corporate Counsel, who covers health care, corporate legal departments and in-house attorneys.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Kristen Rasmussen
Kristen Rasmussen is an Atlanta-based reporter who covers corporate law departments and in-house attorneys.
