Medical supplies giant Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to U.S. federal regulators after five separate data breaches in 2012.
The U.S. Department of Health and Human Services Office for Civil Rights levied the fine along with a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. A federal investigation found the company failed to conduct an accurate risk analysis of vulnerabilities to its protected information.
FMCNA filed five breach reports in January 2013 covering incidents from February-July 2012 impacting the electronic protected health information for five FMCNA-owned branches across the United States.
The list of violations is long. One branch didn’t encrypt sensitive information, another had no policies around removing hardware from facilities, two businesses had no safeguards against unauthorized access or theft while yet another had no procedure to address security incidents, according to the federal investigation.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino said in a statement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Fresenius Medical Care is a German-based international conglomerate that sells medical supplies around the world, with a concentration on kidney health. The company makes about $18 billion per year in revenue as of FY 2016.
FMCNA did not respond to a request for comment.