Accretive Health Breach: FTC SettlementBilling Company Must Build Comprehensive Security Program
Accretive Health Inc., a Chicago-based medical billing and revenue management services company, has agreed to a settlement with the Federal Trade Commission related to an investigation into a 2011 data breach that affected 23,000 patients.
Under the settlement, which does not include a monetary penalty, Accretive has agreed to a number of corrective actions designed to establish a comprehensive security program to protect consumers' personal information. The settlement, which is in force for the next 20 years, also includes Accretive agreeing to have its program evaluated every two years by a certified third-party.
The FTC alleged in a complaint against Accretive that the company failed to provide reasonable and appropriate security measures and procedures to protect consumers' personal information, including sensitive personal health information. The failure to adequately safeguard the data led to a July 2011 incident in Minneapolis, Minn., when an Accretive employee's unencrypted laptop computer containing data on 23,000 patients of the company's hospital clients was stolen from the worker's car.
Data on the laptop included patient names, dates of birth, Social Security numbers, billing information and medical diagnostic information.
Dual FTC Investigation
The FTC can launch health data breach investigations on its own, or through referrals from other agencies, including referrals by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA compliance, says Allison Lefrak, a staff attorney at the FTC's Bureau of Consumer Protection.
Two FTC divisions, the division of privacy and identity protection and the division of financial practices, were involved with the Accretive investigation. On Dec. 31, the division of financial practices closed a related investigation into Accretive's debt collection practices in hospitals, she says.
The FTC did not issue an enforcement action related to Accretive's debt collection practices. However, a letter from the FTC to Accretive staff indicated the company's practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency department or other medical facility raises serious concerns, according to an FTC statement.
FTC's Dec. 31 settlement agreement with Accretive is subject to public comment for 30 days, after which the commission will decide whether to make the proposed consent order final. "We will go through public comments to see if there is anything in the case we've overlooked," Lefrak says.
The FTC commonly issues breach investigation settlements that include corrective actions aimed at having organizations better protect consumer's personal information, Lefrak says. FTC officials will not discuss any other data breach investigations that might be under way, she adds.
The FTC case against Accretive should serve as a wake-up call to other healthcare organizations and the companies that serve them, says privacy attorney Adam Greene, a partner at Davis Wright Tremaine.
"The Accretive Health settlement is an important reminder that the [HHS] Office for Civil Rights is not the only game in town when it comes to enforcement of health information privacy and security," says Greene, a former official at OCR, which enforces HIPAA compliance, including conducting breach investigations. "While rare, the FTC has occasionally exercised its broad authority to find a lack of health information safeguards as an unfair or deceptive trade practice under Section 5 of the FTC Act."
Greene points out that the FTC has conducted similar investigations in the wake of other healthdata breaches. That includes settlements with CVS Caremark and Rite Aid pharmacies over alleged improper disposal of prescription information. Additionally, the FTC has filed a complaint against LabMD for allegedly making patient information publicly available through an employee's use of file-sharing software, Greene notes.
"There does not seem to be much of a pattern, other than that the CVS, Rite Aid, and Accretive matters were all pretty high profile and widely reported in the press prior to the FTC's actions," he says.
"The good news for healthcare entities with respect to FTC enforcement is that they the FTC does not have civil money penalty authority under Section 5 of the FTC Act. The bad news is that their normal enforcement action is to seek 20 years of independent monitoring - paid for by the healthcare entity. And an FTC action in no way precludes OCR, state attorneys general, and other enforcement agencies from also taking action."
In fact, the Minnesota's Attorney General in 2012 reached a settlement with Accretive. That settlement, which dealt with the firm's collection practices as well as the breach incident, alleged violation of federal and state health privacy laws, as well as state debt collection and consumer protection laws (see: Accretive Health Settles Minn. Lawsuit).
As part of its settlement with the FTC, Accretive agreed to take several actions, including:
- Designate staff to coordinate and be accountable for the information security program;
- Identify internal and external risks to the security, confidentiality and integrity of personal information that could result in the compromise of the information, and assess the sufficiency of any safeguards in place to control the risks.
- Include in the risk assessment consideration of the each relevant area of operations, including employee training and management; information systems including network and software design; and prevention, detection, and response to attacks, intrusions and other system failures;
- Design and implement reasonable safeguards to control the risks identified through risk assessment and regularly test and monitor the effectiveness of the safeguards' key controls, systems, and procedures;
- Develop and implement reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers to implement and maintain appropriate safeguards; and
- Evaluate and adjust the information security program in light of the results of the testing and monitoring required by settlement.
In a statement to Information Security Media Group, Accretive Health says, "The settlement confirms that our current data privacy initiatives are robust, and we are agreeing to continue to maintain these data privacy initiatives for years to come as set forth in the [FTC] consent agreement."