John O’Brien recaps the Accretive Health news reported on this blog last week (here, here, and here):
A New York City law firm has followed up on Minnesota Attorney General Lori Swanson’s lawsuit against Accretive Health, filing a securities class action suit against the company.
In January, Swanson filed a suit against Accretive, a Chicago company that engages in medical debt collection, for allegedly failing to protect patient health care confidentiality. Last week, the firm Bernstein Liebhard initiated a shareholder suit that alleges the company and some of its executives failed to disclose they were violating health privacy laws.
Accretive’s stock plunged 42 percent last week after Swanson released a report on her investigation. It says the company may have violated state and federal laws by asking patients to pay their bills as they sought care.
But Accretive is fighting back and issued a press release today:
Accretive Health, Inc. today filed a motion to dismiss the Minnesota Attorney General’s Complaint in federal district court in Minnesota. The motion denies the Attorney General’s claims and requests that the Court dismiss the complaint, in its entirety, with prejudice. As stated in the motion, the Company believes “…the Attorney General’s First Amended Complaint includes allegations that are factually baseless and legally indefensible. What is worse is that rather than litigate this case in the courtroom, the Attorney General orchestrated a nationwide media campaign against Accretive Health.”
The motion includes the following grounds for dismissing the case:
1) The core of this case involves the criminal theft of a password-protected laptop. Under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act, a company cannot be held liable for the unforeseeable criminal act of a third party stealing a corporate laptop. Further, in the ten months since the laptop was stolen, there is no evidence (and the Attorney General does not even claim) that any patient data has been compromised. As a result, in the absence of any injury, the Attorney General lacks legal standing to pursue claims under HIPAA and the Minnesota Health Records Act as a matter of law.
2) On February 3, 2012, Accretive Health entered into a Consent Order with the Minnesota Department of Commerce to address its debt collection practices in Minnesota. Accretive Health continues to work cooperatively with the Department of Commerce. Under fundamental principles of law, the Attorney General is barred from pursuing the identical claims already addressed by a fellow state official.
3) The Attorney General’s consumer fraud claims are baseless in fact and law. In particular, it is undisputed that information about Accretive Health’s Quality and Total Cost of Care (“QTCC”) services at Fairview Health System, aimed at developing strategies to reduce emergency room admissions and in-patient stays for the sickest five percent of patients, were widely disseminated to the public in securities filings and media accounts, defeating any fraud claim.
As with all litigation, no assurance can be provided as to the outcome of the matters discussed herein.
[…]
Interesting that they say, “Under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act, a company cannot be held liable for the unforeseeable criminal act of a third party stealing a corporate laptop.” I would argue that theft of an unencrypted laptop from an unattended vehicle actually is a foreseeable act given how many reports of laptop thefts from cars have been reported in the media over the years.
We’ll see what the court says.
Accretive states it was an”password-protected laptop.” Is Accretive claiming that password protection means HIPAA compliant?
Or is that statement to be attributed to ignorant legal representation or poor press release prose?
I doubt they are suggesting that password protection is sufficient. I think they’re focusing on the damages aspects of state attorney general provisions, but the statute says “threats” to residents, which a stolen unencrypted laptop does pose, in my opinion. And there are statutory damages that can be awarded. I don’t MN law, but I think the state AG can sue them under HIPAA.