Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
$3.5 Million Penalty for Five Small 2012 BreachesFresenius Medical Care North America Agrees to HIPAA Settlement
In one of the largest HIPAA settlements ever, federal regulators have signed a $3.5 million settlement with a Massachusetts-based healthcare organization that reported five small health data breaches in 2012 involving lost or stolen unencrypted computing devices.
The breaches, which affected a total of about 521 individuals, were all reported to federal regulators on Jan. 21, 2013, by Waltham, Mass.-based Fresenius Medical Care North America. While breaches impacting 500 or more individuals must be reported to the Department of Health and Human Services within 60 days of discovery, breaches affecting fewer than 500 individuals must be reported annually.
Data exposed in the breaches included patient names, addresses, dates of birth, telephone numbers, insurance information, and, in some cases, Social Security numbers.
5 Largest HIPAA Penalties
|Advocate Health Care Network||$5.55 million|
|Memorial Healthcare System||$5.5 million|
|New York-Presbyterian Hospital and Columbia University||$4.8 million|
|Cignet Health of Prince George County||$4.3 million|
|Fresenius Medical Care North America||$3.5 million|
FMCNA is a provider of products and services for people with chronic kidney failure; it has over 60,000 employees who serve over 170,000 patients. FMCNA's network comprises dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.
FMCNA was cited for a lack of a risk analysis, a common theme in the OCR's HIPAA enforcement activities.
"OCR's investigation revealed FMCNA ... failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI," the agency notes in the statement. "FMCNA ... impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the HIPAA Privacy Rule."
Small Breaches, Big Penalty
The settlement is particularly notable because it shows that it does not take a breach that affects millions to get OCR's attention, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"And just as we have seen in other OCR enforcement actions ... an information security incident that results in a breach is seen to be a symptom of larger issues that indicate general failures to have appropriate safeguards in place," he says.
"Just as there were common threads into how the incidents occurred, OCR found a systemic failure across Fresenius in which there had been a lack of attention to putting into place basic safeguards electronic protected health information. Not only had FMCNA not conducted organizationwide information security risk analysis and risk management plans to address the vulnerabilities found by the assessment, there was a general lack of attention paid to protecting work stations and portable devices on which PHI was stored."
While the provisions of a corrective action plan FMCNA agreed to carry out require taking action at only the five health centers that experienced breaches, Holtzman says it's likely that the organization "will use this as a wake-up call to implement organizationwide changes into how it manages and safeguards its information system assets and protected health information."
The five breaches at the center of the settlement include these incidents:
- On Feb. 23, 2012, two unencrypted desktop computers were stolen during a break-in at Fresenius Medical Care Duval, in Jacksonville, Florida. One of the computers contained the electronic protected health information of 200 individuals.
- On April 3, 2012, an unencrypted USB drive, containing information on 245 individuals, was stolen from a workforce member's car while it was parked in the lot at the Fresenius Medical Care Magnolia Grove facility in Semmes, Alabama.
- On June 18, 2012, the FMCNA compliance line received an anonymous report that a hard drive from a desktop computer, which had been taken out of service to be replaced, was missing on April 6, 2012, from the Fresenius Medical Care Ak-Chin facility in Maricopa, Arizona. The workforce member whose hard drive, containing information on 35 individuals, was missing promptly notified the area manager, but the manager failed to report the incident to FMCNA's corporate risk management department.
- On June 16, 2012, an unencrypted laptop of a staff member at Fresenius Vascular Care in Augusta, Georgia, was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords. The laptop contained the ePHI of 10 individuals.
- On or around June 17-18, 2012, three desktop computers and one encrypted laptop were stolen from an FMC location in Blue Island, Illinois. One of the desktop computers contained the ePHI of 31 individuals.
The OCR settlement with FMNCA is the first for 2018, and one of only a handful of HIPAA enforcement actions handed down since the Trump administration took office a year ago.
In December, a federal bankruptcy court approved a $2.3 million settlement between OCR and bankrupt cancer care clinic chain, 21st Century Oncology pertaining to a 2015 cyberattack that impacted 2.2 million individuals. The payment was to be made by 21st Century Oncology's cyber insurer, Beazley Group (see Bankrupt Cancer Clinic Chain's Insurer to Cover Breach Fine).
In May 2017, OCR signed a $387,000 settlement with St. Luke's-Roosevelt Hospital Center in New York to settle a case involving "careless handling of HIV information" for two patients (see Big Settlement in Privacy Case Involving 2 Patients' HIV Data).
According to the resolution agreement, as part of a corrective action plan, FMCNA has also agreed to:
- Conduct a risk analysis;
- Develop and implement a risk management plan;
- Implement a process for evaluating environmental and operational changes;
- Develop a report regarding FMCNA's implementation of encryption;
- Review and revise policies and procedures on device and media controls;
- Review and revise policies and procedures on facility access controls;
- Develop an enhanced privacy and security awareness training program.
In a statement provided to Information Security Media Group, FMCNA says it takes the protection of patients' health information "very seriously."
FMCNA says the settlement with HHS OCR resolves "alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients' health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft."