Accretive Health, Inc. (“Accretive”) is a service provider for hospital systems nationwide, providing services related to the hospital systems’ revenue cycle operations. In providing these services, Accretive obtains sensitive health information about its customers’ patients. Accretive suffered a security breach that resulted in the exposure of sensitive, personally identifiable information for about 23,000 individuals. As is often the case, that breach resulted in a complaint from the government.
Of course, Accretive’s clients are Health Insurance Portability and Accountability Act (“HIPAA”)-covered entities and Accretive is a business associate under HIPAA. But this investigation was not a HIPAA investigation, but rather the claims made by the Federal Trade Commission (“FTC”) were under the FTC Act. HIPAA-covered entities and their business associates should keep in mind that HIPAA compliance is not their only regulatory obligation to maintain the security of personal information.
The FTC argued that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, which Accretive collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access. The FTC claimed that, among other things, Accretive:
- transported laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
- failed to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
- failed to ensure that employees removed information from their computers for which they no longer had a business need; and
- used consumers’ personal information in training sessions with employees and failed to ensure that the information was removed from employee computers after the training.
Accretive’s failures resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive laptop containing 600 files related to 23,000 patients was left in the locked passenger compartment of an employee’s car and was stolen. The laptop included sensitive personal and health information, including names, dates of birth, billing information, diagnostic information, and social security numbers. The user of the laptop had data that was not necessary to perform his job.
The FTC argued that the failure by Accretive to employ reasonable and appropriate measures to protect personal information from unauthorized access was an unfair act or practice in violation of Section 5(a) of the FTC Act.
On January 13, the FTC published a notice in the Federal Register that the FTC had accepted, subject to final approval, a consent order applicable to Accretive. The Proposed Order requires Accretive to establish and maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information. The program must contain administrative, technical and physical safeguards appropriate to Accretive’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects about consumers. Specifically, the Proposed Order requires Accretive to:
- designate an employee or employees to coordinate and be accountable for the information security program;
- identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of information, and assess the sufficiency of any safeguards in place to control these risks;
- design and implement reasonable safeguards to control the risks identified through risks assessment, and regularly test or monitor the effectiveness of the safeguards key controls, systems, and procedures;
- develop and use reasonable steps to select and retains service providers capable of appropriately safeguarding personal information they receive from Accretive, and require service providers by contract to implement and maintain appropriate safeguards; and
- evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.
Companies handling sensitive personal information are advised to review the types of security measures that the FTC includes in these types of consents because they give companies a checklist of the measures that the FTC will expect to be in place at companies handling similar types of data.
In Accretive’s case, the Proposed Order will be in place for 20 years, and the order requires Accretive to obtain an assessment and report every other year for 20 years from a qualified, objective, and independent third party professional certifying that its security program meets the requirements of the order.
The FTC published a description of the consent, which is subject to public comment for thirty days, after which the FTC will decide whether to make the proposed order final.