Fresenius Medical Care (NYSE:FMS; ETR:FRE) has agreed to pay $3.5 million to the US Department of Health and Human Services Office for Civil Rights to settle five breaches of the Health Insurance Portability and Accountability Act Privacy and Security Rules.
Fresenius reportedly submitted five separate breach reports on Jan. 23, 2013 for separate incidents between Feb. 23, 2012 and July 18, 2012 that implicated electronic protected health information of five of Fresenius’ covered entities.
The locations of the breaches were the Jacksonville, Fla.-based Fresenius Medical Care Duval Facility, the Semmes, Ala.-based Fresenius Medical Care Magnolia Grove, Maricopa, Ariz.-based Fresenius Medical Care Ak-Chin, Fresenius Vascular Care Augusta and Fresenius Medical Care Blue Island Dialysis.
An investigation carried out by the Office of Civil Rights revealed that Fresenius’ covered entities “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI,” according to the HHS release.
This included the impermissible disclosure of ePHI of patients through unauthorized access, and a failure to implement policies to address certain security incidents.
The settlement also includes the adoption of a comprehensive corrective action plan which requires the Fresenius entities to complete a risk analysis and risk management plan and revised policies and procedures on device and media controls, development of encryption points and education, according to the HHS release.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law,” OCR Director Roger Severino said in a press release.