Presented by the Privacy and Data Security Practice Group

Legal Updates for Privacy and Data Security - February 2018

OCR Announces $3.5 Million Settlement With a Medical Provider for Five Separate Data Breaches

By David J. Shannon, Esquire

Fresenius Medical Care North America (FMCNA) and the Office of Civil Rights (OCR) have entered into a $3.5 Million settlement agreement to resolve five separate data breaches that occurred over a five-month period in 2012. FMCNA must also adopt a comprehensive corrective action plan to resolve the alleged HIPAA violations. FMCNA provides products and services for patients with chronic kidney failure and has over 60,000 employees and serves more than 170,000 patients. 

In January 2013, FMCNA advised the OCR of five separate breaches that occurred at their facilities in 2012. The OCR's investigation revealed that FMCNA had failed to comply with HIPAA and failed to conduct a proper risk analysis of the potential risks and vulnerabilities to its patients' electronic Protected Health Information (ePHI). Numerous disclosures of ePHI occurred by way of unauthorized access for purposes not permitted by HIPAA's Privacy Rule. The failures occurred at multiple FMCNA sites and facilities. An OCR director was quoted as saying that the number of breaches, involving a wide variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-risk analysis for a covered entity.     

This settlement reinforces the need for all covered entities to have proper HIPAA compliant policies and procedures that should be reviewed on a regular basis. FMCNA is now paying a multi-million dollar fine as well as enacting the numerous other corrective action plan requirements as a result of its failure to have proper policies in place.    


The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. To be removed from our list of subscribers who receive these complimentary Privacy and Data Security updates, please contact If however you continue to receive the alerts in error, please send a note to

ATTORNEY ADVERTISING pursuant to New York RPC 7.1
© 2018 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.