DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Accretive Health Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information

Posted on December 31, 2013 by Dissent

From the FTC, a follow-up on a breach that was first disclosed in September 2011, and that I’ve covered a number of times on PHIprivacy.net (see these articles). Regular readers may recall that Accretive was also sued by Minnesota’s Attorney General.  That suit settled for $2.5 million in July 2012. 

Accretive Health, Inc., a company that provides medical billing and revenue management services to hospitals around the country, has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.

In its complaint against the Chicago-based business, the FTC alleges the company failed to provide reasonable and appropriate security measures and procedures to protect consumers’ personal information, including sensitive personal health information. Accretive had access to a wealth of personal information about the patients of its hospital clients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic information.

According to the complaint, Accretive’s failure to adequately safeguard such information led to a July 2011 incident in Minneapolis, Minn., where an Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car. The Commission alleges that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.

The complaint also alleges that Accretive failed to employ reasonable procedures designed to ensure that employees removed consumers’ personal information that they no longer needed from their computers; and that in certain instances, when the personal health information of consumers was used in training sessions for employees, Accretive failed to remove that information from employees’ computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to consumers’ personal information based on an employee’s need for the information.

Under the terms of its settlement with the FTC, Accretive must establish a comprehensive information security program designed to protect consumers’ sensitive personal information. In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.

FTC staff also sent a letter to Accretive indicating that it would not recommend an enforcement action related to allegations concerning Accretive’s debt collection practices in hospitals. The letter notes that while staff is declining to recommend a Fair Debt Collection Practices Act case against Accretive at this time, the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility raises serious concerns.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Thursday, Jan. 30, 2014, after which the Commission will decide whether to make the proposed consent order final.

Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each future violation of such an order may result in a civil penalty of up to $16,000.

N.B. Looking at HHS’s breach tool, it appears that their investigation of this incident has not been concluded as there’s no final summary.

Category: Health DataOf NoteTheftU.S.

Post navigation

← Riverside Health System notifies 919 patients after employee improperly accessed their information
This was all too predictable… →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.