Accretive Health Inc., a company that provides medical billing and revenue management services to hospitals around the country, has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.
In its complaint against the Chicago-based business, the FTC alleges the company failed to provide reasonable and appropriate security measures and procedures to protect consumers personal information, including sensitive personal health information. Accretive had access to a wealth of personal information about the patients of its hospital clients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic information.
Accretive's failure to safeguard such information led to a July 2011 incident in Minneapolis, Minn., where an Accretive employees laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employees car, according to the complaint.
The FTC alleges that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.
The complaint also alleges that Accretive failed to employ reasonable procedures designed to ensure that employees removed consumers personal information that they no longer needed from their computers; and that in certain instances, when the personal health information of consumers was used in training sessions for employees, Accretive failed to remove that information from employees computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to consumers personal information based on an employees need for the information.
Under the terms of its settlement with the FTC, Accretive must establish a comprehensive information security program designed to protect consumers sensitive personal information. In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.
FTC staff also sent a letter to Accretive indicating that it would not recommend an enforcement action related to allegations concerning Accretive's collection practices in hospitals. The letter notes that while staff is declining to recommend a Fair Debt Collection Practices Act case against Accretive at this time, the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility raises serious concerns.
The FTC vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning Tuesday and continuing through Thursday, Jan. 30, after which the Commission will decide whether to make the proposed consent order final.