Fresenius Medical Care North America has agreed to pay $3.5 million to the HHS Office for Civil Rights and to adopt a comprehensive corrective action plan after acknowledging that it had security breaches of patient information at five dialysis facilities between February 2012 and July 2012.

An investigation by the HHS Office for Civil Rights revealed the Fresenius facilities “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its (patient data),” according to a press release from the agency. The breaches involved confidential information on 521 patients at five facilities located in Jacksonville, Florida; Semmes, Alabama; Maricopa, Arizona; Augusta, Georgia; and Blue Island, Illinois.

According to the release from the HHS Office for Civil Rights, the Fresenius dialysis facilities exposed the patient data by providing unauthorized access and allowed hardware and electronic media to be moved in and out to unsecured locations. In Florida and Illinois, computers containing patient information were stolen from two facilities. An unencrypted USB drive was stolen in Alabama from an employee’s care and in Arizona, a hard drive containing patient information was missing from a desktop computer that was taken out of service.

According to the HHS Office for Civil Rights, the Fresenius facilities repeatedly failed to implement policies and procedures to safeguard equipment from theft or encrypt patient information.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” HHS Office for Civil Rights Director Roger Severino said. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

In addition to the settlement, a corrective action plan requires the Fresenius-covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls, as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.