On December 31, 2013, the Federal Trade Commission (“FTC”) announced that Accretive Health, Inc., (“Accretive”) agreed to settle charges that the company’s inadequate data security measures exposed sensitive consumer information to the risk of theft or misuse. Accretive provides medical billing and revenue management services to hospitals around the country. Accretive experienced a data breach in 2011 when one of its unencrypted laptops containing the personal information of 23,000 patients at Minnesota hospitals was stolen from the car of an Accretive employee.
The FTC complaint alleges that Accretive failed to provide reasonable and appropriate security for the personal information of consumers resulting in the 2011 data breach. The complaint also alleges that Accretive created unnecessary risks of unauthorized access to personal information by transporting laptops containing personal information in a manner that made them vulnerable to theft and failing to adequately restrict access to personal information based on an employee’s need for the information.
Under the terms of the settlement with the FTC, Accretive must establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected about or from consumers. Accretive must have the program evaluated initially and then every two years by a certified third-party. The settlement will be in force for twenty years. The settlement is open for public comment until January 30, 2014.
Previously, the Minnesota Attorney General sued Accretive over the breach and debt collection activities the breach investigation revealed. The Attorney General alleged violations of HIPAA and Minnesota privacy laws and debt collection laws. Accretive settled with the Attorney General in July 2012, agreeing to pay $2.5 million, cease business operations in Minnesota, and not reenter the state for six years without the agreement of the Attorney General.
The FTC also advised Accretive that it was closing its investigation into Accretive’s conduct in collecting defaulted debts in hospital emergency rooms and would not be pursue a claim that the company violated the Fair Debt Collection Act. In reaching its decision, the FTC considered the settlement agreement with the State of Minnesota mentioned above, which effectively bans Accretive from doing business in that state for up to six years.
The Accretive case offers several key takeaways for covered entities and business associates:
1. Encrypt PHI that is stored on portable devices, including laptops and USB drives. This is a point of emphasis of HHS Office for Civil Rights.
2. Expect enforcement activity not just from the HHS Office for Civil Rights, but other enforcers such as state Attorneys General and the FTC.
3. Anticipate that when investigators show up due to a data breach they may uncover other potential wrongdoing such as questionable debt collection practices or improper billing and coding, leading to additional enforcement actions.
4. To avoid potentially lengthy, i.e., twenty years, government oversight, covered entities and business associates should review and update their HIPAA privacy and security policies and procedures now.