Accretive Health Addresses BreachSays Lack of Laptop Encryption Was an 'Oversight'
A laptop stolen from an employee of Accretive Health last year was not encrypted "due to the oversight of an individual IT employee," the company says in a 29-page comment letter sent to U.S. Sen. Al Franken, D-Minn. That employee subsequently was fired, the company reports.
Sen. Franken has launched an investigation into the Chicago-based billing and collections firm in the wake of the Minnesota attorney general's lawsuit against the company that stems, in part, from the data breach last year that affected more than 20,000 patients. Accretive Health, which wrote the comment letter at the request of Franken, has filed a motion to dismiss the lawsuit (see: Accretive Health Responds to Lawsuit.)
Franken has announced the Senate Health Committee plans to hold a field hearing later this month in Minnesota on Accretive Health's business practices.
In its comments to Franken, Accretive Health also notes that following the July 2011 breach incident it "added redundancies to its IT practices so that multiple employees work independently to ensure that each Accretive Health laptop is properly encrypted. In addition, Accretive Health conducts reviews at least five days a week to confirm that every laptop remains properly encrypted."
The company also notes that it has "begun to upgrade its encryption software to higher than industry standards."
An unencrypted laptop was stolen from the parked rental car of an Accretive Health employee, according to the Minnesota attorney general's lawsuit. It contained healthcare information, as well as some Social Security numbers and other personal data, on patients treated at Fairview Health Services and North Memorial Health Care.
The bulk of Accretive Health's letter to Franken deals with the lawsuit's other allegations regarding its collection practices.