FMCNA to Pay $3.5 Million for Non-Compliance with HIPAA’s Risk Analysis and Risk Management Rules

Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan, in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

Read the full article on HHS’ website and pay careful attention to the 6 specific issues the OCR’s investigation identified as a basis for the fine:

  1. Failed to conduct an adequate risk analysis.
  2. Provided unauthorized access for a purpose not permitted by the Privacy Rule.
  3. Failed to implement policies and procedures to address security incidents.
  4. Failed to implement policies and procedures for devices containing ePHI inside and outside of the facility.
  5. Failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft.
  6. Failed to encrypt ePHI in appropriate circumstances.


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Allscripts EHR Ransomware Attack is Huge–How Will it Impact Healthcare Practices?

OCR LogoSee recommendations below

On January 19, 2018, cybercriminals were successful in a ransomware attack on Allscripts, an electronic healthcare record (EHR) provider for healthcare providers across the United States. The attack encrypted some of Allscripts systems and prevented those healthcare providers who use those systems for their EHRs from being able to access their patient records. Not only is there the obvious impact this has had on those healthcare providers’ ability to treat their patients, but also, under HIPAA, the Office of Civil Rights presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless certain criteria are satisfied. (See checklist in this post and this post for further explanation).

TMLT LogoThe Texas Medical Liability Trust (TMLT)’s blog post, Allscripts EHRS Falls Victim to Ransomware Attacks, goes into much greater detail in describing the facts of this event and what has taken place since the initial attack. The blog also provides an excellent analysis of the Business Associates considerations in a situation such as this and the post features several important recommendations for what practices need to do now from my friend and excellent cybersecurity and data privacy attorney Adrian Senyszyn (LinkedIn) and myself. So, what are you waiting for, go read the TMLT post … and hope and pray that you planned ahead and have cyber insurance!

See Also:


Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

OCR Issues Cyberattack Response Checklist and Infographic

The United States Department of Health and Human Services’ Office for Civil Rights has just issued a checklist and infographic to aid healthcare organizations and their vendors in quickly responding to cyberattacks in compliance with HIPAA requirements.

Are Smaller Healthcare Practices Required to Report a Ransomware or Potential Data Breach?

Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?

To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”

Let me be clear: it is a big deal – a very big deal – and if it is considered a “breach” then you are required to report. See this Guide for more information.

Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.

Are ransomware attacks a data breach?

Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA

The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.

Is there a penalty for failing to notify?

 See also Professor Daniel Solove’s 2017 HIPAA Enforcement Update

Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:

Does HHS fine small healthcare practices?

Read these examples and decide for yourself:

If you would like more information about other HHS cases, read about these HHS Case Examples.


What are the 3 most important questions you should ask yourself now before you have an incident?

  1. Do you have privacy and cyber insurance coverage for your practice?
  2. Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
  3. Do you understand these 3 critical cybersecurity steps your organization must take?


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Why is Healthcare Data So Valuable to Cyber Criminals?

Healthcare data is one of the most desirable forms of data for cyber criminals to steal because its value on the cyber black market — the Dark Web — is much higher than most other forms of data. While there are several reasons for this, the recent study Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims, concluded Continue reading “Why is Healthcare Data So Valuable to Cyber Criminals?”

Does Data Security Have Your Healthcare Practice “On the Hook”?

hook-159682I recently had the pleasure of presenting in a webinar series titled Is Your Practice “On the Hook?” to members of the Texas Dental Association and the Oklahoma Dental Association. Key points of the presentation, which focused on cyber security and data breaches in the healthcare industry, explained why protected health information (PHI) and electronic healthcare records are so valuable to cyber criminals and provided case studies of recent data breaches in the healthcare industry.

This presentation was arranged by my friend Larry Lewis (@SmartTraininglc) at Smart Training, LLC. If you are interested in obtaining a replay of this presentation, please contact Larry at Smart Training, LLC.


About the author

Shawn Tuma is a lawyer who is experienced in representing and advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Why do cyber criminals want your healthcare data?

During a recent presentation a member of the audience asked me why cyber criminals would want to steal a person’s healthcare data. It is easy to understand why they would want to steal payment card data — but healthcare data — not so obvious. Here is a great answer:

A crook would love [healthcare data] because, “in the world of black market information, a medical record is considered more valuable than everything else,” says Larry Ponemon, the Institute’s founder.

The study was sponsored by ID Experts, and its founder, Rick Kam, says that the “black market is being flooded with payment card data.” Health care data includes a Social Security number and personal health record—data that sticks around for a long time, versus a credit card number.

via Healthcare Data under Attack | Robert Siciliano.


Upcoming Webinar: Anatomy of a Data Breach

I am looking forward to presenting a (free) webinar for healthcare professionals on “Anatomy of a Data Breach.”

The webinar is free because it is being brought to you by the great folks at SmartTraining, LLC. You can learn more about the topics that will be covered on this page. It will be from 12:00 PM to 1:30 PM on Wednesday, July 31, 2013.

For more information, feel free to ask me or click the following to email SmartTraining, LLC or find them on Twitter @SmartTraininglc.

You can register right HERE.

What do the penalties look like for a HIPAA violation?

Here you go — they are rising and here is where they currently stand. As you can see, data breach is serious business and serious for your business.

Did Not Know $100 – $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect – Corrected $10,000 – $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $1,500,000

You can read the full article here: HIPAA Violation Penalties Rise in Response to Data Breaches | SmartData Collective.

Holy Cow – Do You Think This Is A HIPAA Privacy Violation?

Here is the best way I can frame this up: if you were the patient that had to go to the emergency room for constipation, would you want that information displayed publicly?

Here is why I ask …

It is Saturday morning and I am blogging on my iphone from a semi-private room in the emergency room (at a hospital I will not name). Why?

Fortunately we found out that we aren’t here for anything major so we have found some way to occupy our time by following — in real time on a computer monitor — the things people have come to the emergency room for, a few of which are:
• constipation
• fever
• ankle injury
• kidney stones

Interesting right? And, you know how i love technology — especially when i am just sitting around twiddling my thumbs.

But how about the fact that along with these symptoms are the patients’ names, ages, and gender? Wow!

Yes — you read that right. The monitors where this information is displayed are placed in plain view where anyone with decent eyesight can easily see everything on them. Hmmm….

What do you think? If you were “Mr Constipation” would you want it publicly displayed for the world to know?