If you were to search DataLossDB.org to find out what we knew about data breaches involving Accretive Health, you would have found one incident from last year. But that may be the tip of the iceberg. Christopher Snowbeck of Pioneer Press reports that there were others:
When a laptop computer was stolen last summer from the locked car of an Accretive Health employee, it wasn’t the first time.
In June 2010, another employee at Accretive – a Chicago-based consultant hired by the Fairview health system to work on billing issues – reported that his laptop had been stolen from a locked car parked outside a restaurant in Roseville.
In the Roseville case, the laptop was encrypted and the computer was rendered inoperable about two hours after the theft, according to documents released this week by state Attorney General Lori Swanson. So it wasn’t considered a security breach that put patient records at risk.
But lightning struck again in late July 2011, when another Accretive Health employee’s laptop was reported stolen from a locked car in Minneapolis. In the second case, the laptop wasn’t encrypted and the Fairview and North Memorial health systems wound up having to notify thousands of patients about the risk to their personal health information.
The sequence of events is part of the reason Sen. Al Franken, D-Minn., turned up the heat on Accretive Health on Friday, April 27, with a letter to the company’s CEO demanding answers to a series of questions.
“The report states that Accretive employees lost six laptops to theft in three separate incidents,” Franken’s letter states. “Is this accurate?”
Fairview and Accretive officials have said there’s no evidence that any patient has been harmed by the laptop theft in Minneapolis. But they have not previously disclosed details about the June 2010 theft or the possibility that there might be a pattern of lost laptops.
Read more on Pioneer Press.
Perhaps one of the more shocking revelations was how Accretive responded to a laptop theft from an employee’s car:
In October, an Accretive Health executive followed up on the incident with a memo detailing some security tips. When traveling, laptops should always be in sight and under your control, the executive wrote in a document released by Swanson.
“If you can’t take your laptop with you,” the memo states, “leave it out-of-sight in the trunk of your car.”
Great advice because cars are never stolen or trunks are never broken into, right?
Another shocking revelation in the Attorney General’s report was contained in a November 2011 presentation prepared by Accretive for Fairview. It noted, in part:
- Theft of the Accretive laptop continues to cause ripples in the Fairview community.
- Matt Doyle (the Accretive employee whose laptop was stolen) should not have had access to patient data.
- The stolen laptop of another Accretive employee (Brandon Webb) was not reported to Fairview.
(p. 11, Volume 3). Significantly, not only should Doyle not have had access to patient data, but he comingled data from Fairview with St. John’s Hospital in Michigan – even though he shouldn’t have had the latter’s data more than a year after he left that site (Volume 6, p. 14)
But it is Volume 4 – a volume totally devoted to privacy violations – that really contains a lot of descriptive material on the breaches. Here’s one subsection:
“Smash and Grabs.” Accretive employees operate mostly with laptops. Accretive prepared a slide presentation in February of 2011 which acknowledged that four Accretive laptops had been “smashed and grabbed” out of cars. (Ex. 4, p. 1.) In each instance, an Accretive employee left a laptop in plain view in a locked car, the car was broken into, and the laptop was stolen. The company notes that its laptops often contain “tons of patient health and financial information.” (Id., p. 2.)
On June 2, 2010, an Accretive employee named Brandon Webb left an Accretive laptop in plain view in his rental car in the parking lot of an Old Mexico Restaurant in Roseville, Minnesota. A thief broke into the car and stole the laptop. (Ex. 5.) At the time, Mr. Webb was working for Accretive on the Fairview revenue cycle contract.
Accretive failed to notify Fairview that the laptop had been stolen. Fairview instead learned of the compliance breach through a series of anonymous tips and from employees who questioned the wisdom of providing confidential medical data to Accretive when it did not bother to secure the data. (Ex. 6.) In November of 2011, Fairview complained to Stephen Kelly, the Vice President of Compliance at Accretive, that Fairview was disturbed to learn that a laptop had been left in plain sight in a car and stolen. (Ex. 7.) Mr. Kelly suggested that notice was not required because the laptop was encrypted. (Ex. 8.)
About a year after Mr. Webb’s laptop was stolen from his car, another Accretive employee had a “smash and grab” of his Accretive laptop from his car. On July 25, 2011, Accretive employee Matthew Doyle parked his car outside a restaurant in the Seven Corners neighborhood of Minneapolis. Once again, Mr. Doyle left the Accretive laptop in plain view of a thief, who broke into the car and stole the laptop. The laptop was not encrypted. (Ex. 9.)
The laptop contained confidential data on approximately 23,000 patients of Fairview and North Memorial Health Care, as well as data of a hospital in Detroit, Michigan. Three months after the laptop was stolen, in late October, 2011, Accretive finally responded with a report prepared by Kroll Consulting. (Id.) The Kroll report indicates that the laptop contained 15.4 gigabytes of data, more than 600 files containing PHI or PII, and 20 million records. The report gives no analysis as to why Mr. Doyle would comingle the patient records of various hospitals on his laptop, why he would need extensive health information about patients as a “revenue cycle” employee, why he would need to store so much patient data on his laptop, or why he would need to keep health records of Fairview patients when he was apparently now working on a revenue cycle contract with North Memorial Health Care. (Id.)
There’s so much in these volumes that it’s hard to know where to start, but if you read nothing else, read all of Volume 4.
This may turn out to be one of those incidents where a breach actually does kill a business. Accretive’s stock had already dropped following the January announcement of the Attorney General’s lawsuit against them and the release of the 6-volume report triggered a 42% drop in stock prices and an investor lawsuit. Now, just 12 hours ago, Accretive announced that it had lost its contract with Fairview:
Accretive Health, Inc. (NYSE: AH – News) said today that it has received notice of termination from Fairview Health Services of its Quality and Total Cost of Care (“QTCC”) services contract. The terms of the transition have yet to be determined. The Company will update its business outlook on its quarterly earnings call on May 9, 2012.