Fresenius Medical Care North America (FMCNA)–following five separate data breach incidents–has agreed to pay $3.5 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the $3.5 million settlement, noting that the company failed to heed HIPAA’s risk analysis and risk management rules. Furthermore, FMCNA agreed to adopt a comprehensive corrective action plan.
Based in Waltham, Massachusetts, FMCNA provides products and services for people with chronic kidney failure. The healthcare solution provider serves over 170,000 patients and has over 60,000 employees. FMCNA’s network is comprised of post-acute providers, hospitalist, urgent care centers, outpatient cardiac and vascular labs, and dialysis facilities.
Locations of the Breaches
According to OCR officials, FMCNA filed five separate breach reports for separate incidents, implicating the electronic protected health information (ePHI) of five separate FMCNA-owned covered entities. The five locations of the breaches were WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island Facility); Fresenius Vascular Care Augusta, LLC (FVC Augusta); Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin Facility); Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove Facility); and Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval Facility).
Source: Healthcare Informatics