On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information.

The breaches, which occurred at Fresenius facilities in Alabama, Arizona, Florida, Georgia and Illinois from February 23 to July 18, 2012, form the basis of OCR’s claims. According to the settlement, these breaches led to the exposure of 521 patients’ health data.

In announcing the settlement, OCR stated that Fresenius “failed to conduct an accurate and thorough risk analysis of potential risk and vulnerabilities to the confidentiality, integrity, and availability” of protected health data at its locations. Although Fresenius did not admit fault in the settlement, the company agreed to complete a risk analysis and risk management plan, update facility access controls, develop an encryption report and update employees on new policies and procedures.