From the FTC, a follow-up on a breach that was first disclosed in September 2011, and that I’ve covered a number of times on PHIprivacy.net (see these articles). Regular readers may recall that Accretive was also sued by Minnesota’s Attorney General. That suit settled for $2.5 million in July 2012.
Accretive Health, Inc., a company that provides medical billing and revenue management services to hospitals around the country, has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.
In its complaint against the Chicago-based business, the FTC alleges the company failed to provide reasonable and appropriate security measures and procedures to protect consumers’ personal information, including sensitive personal health information. Accretive had access to a wealth of personal information about the patients of its hospital clients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic information.
According to the complaint, Accretive’s failure to adequately safeguard such information led to a July 2011 incident in Minneapolis, Minn., where an Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car. The Commission alleges that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.
The complaint also alleges that Accretive failed to employ reasonable procedures designed to ensure that employees removed consumers’ personal information that they no longer needed from their computers; and that in certain instances, when the personal health information of consumers was used in training sessions for employees, Accretive failed to remove that information from employees’ computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to consumers’ personal information based on an employee’s need for the information.
Under the terms of its settlement with the FTC, Accretive must establish a comprehensive information security program designed to protect consumers’ sensitive personal information. In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.
FTC staff also sent a letter to Accretive indicating that it would not recommend an enforcement action related to allegations concerning Accretive’s debt collection practices in hospitals. The letter notes that while staff is declining to recommend a Fair Debt Collection Practices Act case against Accretive at this time, the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility raises serious concerns.
The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Thursday, Jan. 30, 2014, after which the Commission will decide whether to make the proposed consent order final.
Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC requests that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each future violation of such an order may result in a civil penalty of up to $16,000.
N.B. Looking at HHS’s breach tool, it appears that their investigation of this incident has not been concluded as there’s no final summary.