Medical Supply Giant to Pay $3.5M in Settlement for Five Separate Data Breaches
Fresenius Medical Care North America, a large provider of products and services to people with chronic kidney failure, has agreed to pay $3.5 million to the federal government after separate data breaches at five of its facilities in 2012.
February 05, 2018 at 04:39 PM
3 minute read
Photo: Shutterstock.com A large provider of products and services to people with chronic and acute kidney disease has agreed to pay $3.5 million to the federal government after five separate low-tech data breaches in 2012, the U.S. Department of Health and Human Services has announced.
In addition to the monetary settlement, Fresenius Medical Care North America agreed to adopt a comprehensive corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security rules that were identified by HHS's Office for Civil Rights.
Fresenius is a German-based company with a North American unit that serves more than 170,000 patients in the United States through a network of dialysis facilities and outpatient lab.
The company reported five separate incidents that occurred between February and July 2012 that breached electronic protected health information of patients at five of its facilities. The incidents involved the theft or loss of laptop and desktop computers or USB drives storing confidential patient data.
An ensuing investigation found that the facilities failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the data, and impermissibly disclosed patients' protected information by providing unauthorized access for a purpose not permitted by HIPAA, according to HHS.
OCR Director Roger Severino said in a statement, “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law.”
A Fresenius North America spokesman said that there is no evidence that any of its patients' health information was improperly accessed or misused. The settlement is not an admission of any HIPAA violation, the statement said.
“We take the protection of our patients' health information very seriously,” the statement continued. “It is a top priority for our company and a critical issue facing the entire health care industry. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”
According to HHS, the breaches occurred at Fresenius facilities in Jacksonville, Florida; Semmes, Alabama; Maricopa, Arizona; Augusta, Georgia; and Blue Island, Illinois.
The corrective action plan requires the facilities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, and to develop an encryption report and educate its workforce on policies and procedures, HHS said.
The agreement was signed by Susan Pezzullo Rhodes, HHS New England regional manager for the Office for Civil Rights, and Louise Bucolo Sr., director of privacy and information security, Fresenius Medical Care North America.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
In-House Lawyers Are Focused on Employment and Cybersecurity Disputes, But Looking Out for Conflict Over AI
As AI-Generated Fraud Rises, Financial Companies Face a Long Cybersecurity Battle
AI Adoption, Data Center Building Boom Opening More Doors for Cybercriminals, Many of Them Teenagers
Trending Stories
- 122-Count Indictment Is Just the Start of SCOTUSBlog Atty's Legal Problems, Experts Say
- 2Judge Rejects Walgreens' Contractual Dispute Against Founder's Family Member
- 3FTC Sues PepsiCo for Alleged Price Break to Big-Box Retailer, Incurs Holyoak's Wrath
- 4Greenberg Traurig Litigation Co-Chair Returning After Three Years as US Attorney
- 5DC Circuit Rejects Jan. 6 Defendants’ Claim That Pepper Spray Isn't Dangerous Weapon
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
