Accretive Health, Inc., a company that provides medical billing and revenue management services to hospitals around the country, has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.
In its complaint against the Chicago-based business, the FTC alleges the company failed to provide reasonable and appropriate security measures and procedures to protect consumers’ personal information, including sensitive personal health information. Accretive had access to a wealth of personal information about the patients of its hospital clients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic information.
According to the complaint, Accretive’s failure to adequately safeguard such information led to a July 2011 incident in Minneapolis, Minn., where an Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car. The Commission alleges that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.
The complaint also alleges that Accretive failed to employ reasonable procedures designed to ensure that employees removed consumers’ personal information that they no longer needed from their computers; and that in certain instances, when the personal health information of consumers was used in training sessions for employees, Accretive failed to remove that information from employees’ computers after the training was finished. In addition, the FTC alleged that Accretive failed to adequately restrict employee access to consumers’ personal information based on an employee’s need for the information.
Under the terms of its settlement with the FTC, Accretive must establish a comprehensive information security program designed to protect consumers’ sensitive personal information. In addition, the company must have the program evaluated both initially and every two years by a certified third party. The settlement will be in force for the next 20 years.
FTC staff also sent a letter to Accretive indicating that it would not recommend an enforcement action related to allegations concerning Accretive’s debt collection practices in hospitals. The letter notes that while staff is declining to recommend a Fair Debt Collection Practices Act case against Accretive at this time, the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility raises serious concerns.
This Press Release is courtesy FTC.gov
Leave a Reply
You must be logged in to post a comment.