Fresenius Medical Care, a nationwide dialysis provider that also runs labs, urgent care centers and post-acute practices, has agreed to pay $3.5 million to settle patient privacy allegations made by the Department of Health and Human Services.

The Office for Civil Rights said Fresenius admitted to five breaches in 2012 and failed to heed HIPAA’s risk analysis and risk management rules.

Fresenius Medical Care North America, or FMCNA, has more than 170,000 patients and 60,000 employees. On January 21, 2013, the company filed five separate breach reports for separate incidents occurring between February  2012 and July 2012, implicating electronic protected health information had been compromised at five different locations.

The breaches occurred at Fresenius Medical Care Duval Facility in Jacksonville, FL; Fresenius Medical Care Magnolia Grove in Semmes, AL; Fresenius Medical Care Ak-Chin in Maricopa, AZ; Fresenius Vascular Care Augusta, GA; and Fresenius Medical Care Blue Island Dialysis in Illinois.

The entities disclosed patient information without permission by providing unauthorized access, authorities said. The Office of Civil Rights said the company failed to conduct an “accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI [electronic personal health information].” A press release issued by HHS detailed the shortcomings.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Fresenius must also formulate a corrective action plan, including a risk analysis and risk management plan, and revise policies and procedures on device and media controls, facility access and encryption.