DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

July theft of computer with Fairview patient data wasn't the first, Minnesota AG says

Posted on April 28, 2012 by Dissent

If you were to search DataLossDB.org to find out what we knew about data breaches involving Accretive Health, you would have found one incident from last year.  But that may be the tip of the iceberg. Christopher Snowbeck of Pioneer Press reports that there were others:

When a laptop computer was stolen last summer from the locked car of an Accretive Health employee, it wasn’t the first time.

In June 2010, another employee at Accretive – a Chicago-based consultant hired by the Fairview health system to work on billing issues – reported that his laptop had been stolen from a locked car parked outside a restaurant in Roseville.

In the Roseville case, the laptop was encrypted and the computer was rendered inoperable about two hours after the theft, according to documents released this week by state Attorney General Lori Swanson. So it wasn’t considered a security breach that put patient records at risk.

But lightning struck again in late July 2011, when another Accretive Health employee’s laptop was reported stolen from a locked car in Minneapolis. In the second case, the laptop wasn’t encrypted and the Fairview and North Memorial health systems wound up having to notify thousands of patients about the risk to their personal health information.

The sequence of events is part of the reason Sen. Al Franken, D-Minn., turned up the heat on Accretive Health on Friday, April 27, with a letter to the company’s CEO demanding answers to a series of questions.

“The report states that Accretive employees lost six laptops to theft in three separate incidents,” Franken’s letter states. “Is this accurate?”

Fairview and Accretive officials have said there’s no evidence that any patient has been harmed by the laptop theft in Minneapolis. But they have not previously disclosed details about the June 2010 theft or the possibility that there might be a pattern of lost laptops.

Read more on Pioneer Press.

Perhaps one of the more shocking revelations was how Accretive responded to a laptop theft from an employee’s car:

In October, an Accretive Health executive followed up on the incident with a memo detailing some security tips. When traveling, laptops should always be in sight and under your control, the executive wrote in a document released by Swanson.

“If you can’t take your laptop with you,” the memo states, “leave it out-of-sight in the trunk of your car.”

Great advice because cars are never stolen or trunks are never broken into, right?

Another shocking revelation in the Attorney General’s report was contained in a November 2011 presentation prepared by Accretive for Fairview. It noted, in part:

  • Theft of the Accretive laptop continues to cause ripples in the Fairview community.
  •  Matt Doyle (the Accretive employee whose laptop was stolen) should not have had access to patient data.
  • The stolen laptop of another Accretive employee (Brandon Webb) was not reported to Fairview.

(p. 11, Volume 3).  Significantly, not only should Doyle not have had access to patient data, but he comingled data from Fairview with St. John’s Hospital in Michigan – even though he shouldn’t have had the latter’s data more than a year after he left that site (Volume 6, p. 14)

But it is Volume 4 – a volume totally devoted to privacy violations – that really contains a lot of descriptive material on the breaches. Here’s one subsection:

“Smash and Grabs.” Accretive employees operate mostly with laptops.  Accretive prepared a slide presentation in February of 2011 which acknowledged that four Accretive laptops had been “smashed and grabbed” out of cars. (Ex. 4, p. 1.) In each instance, an Accretive employee left a laptop in plain view in a locked car, the car was broken into, and the laptop was stolen. The company notes that its laptops often contain “tons of patient health and financial information.” (Id., p. 2.)

On June 2, 2010, an Accretive employee named Brandon Webb left an Accretive laptop in plain view in his rental car in the parking lot of an Old Mexico Restaurant in Roseville, Minnesota. A thief broke into the car and stole the laptop. (Ex. 5.) At the time, Mr. Webb was working for Accretive on the Fairview revenue cycle contract.

Accretive failed to notify Fairview that the laptop had been stolen. Fairview instead learned of the compliance breach through a series of anonymous tips and from employees who questioned the wisdom of providing confidential medical data to Accretive when it did not bother to secure the data. (Ex. 6.) In November of 2011, Fairview complained to Stephen Kelly, the Vice President of Compliance at Accretive, that Fairview was disturbed to learn that a laptop had been left in plain sight in a car and stolen. (Ex. 7.) Mr. Kelly suggested that notice was not required because the laptop was encrypted. (Ex. 8.)

About a year after Mr. Webb’s laptop was stolen from his car, another Accretive employee had a “smash and grab” of his Accretive laptop from his car. On July 25, 2011, Accretive employee Matthew Doyle parked his car outside a restaurant in the Seven Corners neighborhood of Minneapolis. Once again, Mr. Doyle left the Accretive laptop in plain view of a thief, who broke into the car and stole the laptop. The laptop was not encrypted. (Ex. 9.)

The laptop contained confidential data on approximately 23,000 patients of Fairview and North Memorial Health Care, as well as data of a hospital in Detroit, Michigan. Three months after the laptop was stolen, in late October, 2011, Accretive finally responded with a report prepared by Kroll Consulting. (Id.) The Kroll report indicates that the laptop contained 15.4 gigabytes of data, more than 600 files containing PHI or PII, and 20 million records. The report gives no analysis as to why Mr. Doyle would comingle the patient records of various hospitals on his laptop, why he would need extensive health information about patients as a “revenue cycle” employee, why he would need to store so much patient data on his laptop, or why he would need to keep health records of Fairview patients when he was apparently now working on a revenue cycle contract with North Memorial Health Care. (Id.)

There’s so much in these volumes that it’s hard to know where to start, but if you read nothing else, read all of Volume 4.

This may turn out to be one of those incidents where a breach actually does kill a business.  Accretive’s stock had already dropped  following the January announcement of the Attorney General’s lawsuit against them and the release of the 6-volume report triggered a 42% drop in stock prices and an investor lawsuit. Now,  just 12 hours ago, Accretive announced that it had lost its contract with Fairview:

Accretive Health, Inc. (NYSE: AH – News) said today that it has received notice of termination from Fairview Health Services of its Quality and Total Cost of Care (“QTCC”) services contract. The terms of the transition have yet to be determined. The Company will update its business outlook on its quarterly earnings call on May 9, 2012.


Related:

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
Category: Health Data

Post navigation

← Canada: Zellers sued by pharmacists over selling patient records to Loblaws, Metro
Senator Franken questions Accretive about allegations raised by Minnesota's Attorney General →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Inquiry launched after identities of SAS soldiers leaked in fresh data breach
  • UK sanctions Russian cyber spies accused of facilitating murders
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report