A large provider of products and services to people with chronicand acute kidney disease has agreed to pay $3.5 million tothe federal government after five separate low-tech data breaches in 2012, the U.S.Department of Health and Human Services has announced.

In addition to the monetary settlement, Fresenius Medical Care NorthAmerica agreed to adopt a comprehensive corrective action plan tosettle potential violations of the Health Insurance Portability andAccountability Act Privacy and Security rules that were identifiedby HHS's Office for Civil Rights.

Related: Anthem agrees to $115 million settlement over databreach

Fresenius is a German-based company with a NorthAmerican unit that serves more than 170,000 patients in the UnitedStates through a network of dialysis facilities and outpatientlab.

Breach of electronic protected health info

The company reported five separate incidents that occurredbetween February and July 2012 that breached electronic protectedhealth information of patients at five of its facilities.The incidents involved the theft or loss oflaptop and desktop computers or USB drives storingconfidential patient data.

An ensuing investigation found that the facilities failed toconduct an accurate and thorough analysis of potential risks andvulnerabilities to the data, and impermissibly disclosed patients'protected information by providing unauthorized access for apurpose not permitted by HIPAA, according to HHS.

OCR Director Roger Severino said in a statement, "Thenumber of breaches, involving a variety of locations andvulnerabilities, highlights why there is no substitute for anenterprise-wide risk analysis for a coveredentity. Covered entities must take a thorough look attheir internal policies and procedures to ensure they areprotecting their patients' health information in accordance withthe law."

A Fresenius North America spokesman said that there is noevidence that any of its patients' health information wasimproperly accessed or misused. The settlement is not an admissionof any HIPAA violation, the statement said.

Related: Target agrees to pay $18.5 million to enddata-breach probes

"We take the protection of our patients' health information veryseriously," the statement continued. "It is a top priority for ourcompany and a critical issue facing the entire health careindustry. We have and will continue to take additional steps toprotect patient data. We strive to enhance security, better trainstaff and reduce incidence of equipment theft."

According to HHS, the breaches occurred at Fresenius facilitiesin Jacksonville, Florida; Semmes, Alabama; Maricopa, Arizona;Augusta, Georgia; and Blue Island, Illinois.

Corrective action plan

The corrective action plan requires the facilities to complete arisk analysis and risk management plan, revise policies andprocedures on device and media controls as well as facility accesscontrols, and to develop an encryption report and educate itsworkforce on policies and procedures, HHS said.

Related: Get ready: A cyber attack iscoming

Kristen Rasmussen ([email protected]) is anAtlanta-based reporter for our sister publication, CorporateCounsel, who covers health care, corporate legal departments andin-house attorneys.