The HHS Office for Civil Rights (“OCR”) announced a $3.5 million settlement with Fresenius Medical Care Holdings, Inc. and five of its subsidiaries (collectively, “Fresenius”) following the report and investigation of five separate breach notifications. Of note, the five breaches in total impacted 521 individuals with no single breach crossing the 500 individual immediate notification threshold. In fact, the breaches were reported at the same time near the annual deadline for reporting breaches impacting less than 500 individuals.
Diving into the background of the settlement report, there are not many surprises. From the five entities, there were: five (5) desktop computers taken, two (2) laptops stolen, one (1) USB device taken from a car, and one (1) misplaced desktop hard drive. Since breaches were reported, all of the computers and devices contained unsecured electronic protected health information, which translates to none of the devices were encrypted. Taken together, the breaches are run of the mill breaches that are similar to ones reported on a daily basis. It is unfortunate that such a statement can be made.
There is an interesting component to the announced resolution. Fresenius reported the five breaches on January 21, 2013. Yes, the report was submitted over five years ago. Likely as a result of the cluster of breaches by a group of commonly controlled entities, OCR conducted a compliance review. That review was initiated on July 15, 2013, about four and a half years ago. OCR’s review, summarized in the Resolution Agreement, found fairly typical forms of non-compliance. Specifically, risk analyses were insufficient, facilities were not adequately secured against unauthorized access, encryption was not utilized, and tracking of removed hardware did not occur, among a few other findings. As suggested, none of these findings were unusual.
Why then was Fresenius fined $3.5 million, if the overview of the circumstances outlined above does not show any bad action that distinguishes from previous breaches and settlements? To answer that question, it is important to remember the OCR Director Rover Severino’s headline-making quote from the fall. OCR Director Severino was quoted at a conference as saying:”At most I will say the big, juicy case is going to be my priority and the methods for us finding it – stay tuned.” That statement was coupled with a passing nod to including an educational component in any such big fine.
OCR Director Severino’s quote certainly makes the nature of the Fresenius fine a little more understandable. Trying to make a splash would seem to be the only justification for suddenly imposing a $3.5 million fine on five breaches of a relatively small nature that were reported and investigated over four years. That statement is not meant to dismiss the serious consequences and impact that all breaches, no matter how big or small, have on the individuals impacted. However, the size of the punishment does not seem to fit the actions that occurred. As already indicated, many other similar scenarios are reported on a daily basis and no multi-million dollar fines are imposed. Instead, this feels like an instance of pursuing a large entity with deep pockets and a well-known name. On the whole, the settlement does not fit in line with OCR’s recent history of settlements.
With all of that being said, should entities with an ability to cover a large fee be more fearful about the fallout from any breach report? At best, the answer is it remains to be seen. The Fresenius settlement should certainly be taken as a warning though and a lesson that HIPAA related settlements may not focus more on the money than actually conveying a lesson about HIPAA compliance.