The first HIPAA breach settlement of 2018 involved five organizations owned by Fresenius Medical Care, a kidney dialysis provider. In a settlement agreement with the Department of Health and Human Services, Fresenius Medical Care agreed to pay $3.5 million and enter into a corrective action plan.
The breach was reported in January 2017 and involved five separate incidents between February 2012 and July 2012. The breaches involved a stolen USB drive, a missing hard drive and stolen computers. HHS concluded that the breaches resulted because Fresenius Medical Care did not conduct an accurate and thorough risk analysis of potential vulnerabilities to the confidentiality, integrity and availability of its electronic protected health information.
As part of a corrective action plan, Fresenius Medical must conduct a risk analysis, revise its policies and procedures and implement workforce training.