The Federal Trade Commission (FTC) recently announced a settlement with Accretive Health, Inc., a provider of medical billing and revenue management services to hospitals. The FTC’s complaint alleged that Accretive failed to provide reasonable and appropriate security for consumers’ personal information, and this failure constituted an unfair act or practice in violation of Section 5 of the FTC Act.
The FTC’s allegations stemmed from a July 2011 incident in Minneapolis, Minnesota, which we described in previous posts. An Accretive laptop containing over 600 files with information relating to 23,000 patients was stolen from an employee’s car. The data on the laptop included sensitive personal and health information, such as patient names, billing information, diagnostic information, and Social Security numbers, which, accordingly to the FTC, was not necessary for the employee to perform his job.
Under the terms of the Dec. 31 settlement, Accretive must implement a comprehensive information security program and submit the program for evaluation every two years by a certified third party. The settlement will be in force for the next 20 years. The FTC will accept written comments on the proposed consent order until January 30, 2014, after which the Commission will rule on whether to finalize the consent order.
The FTC also sent a separate letter to Accretive regarding its debt collection practices in hospital emergency rooms and other sensitive hospital areas. While noting that attempts to collect defaulted debts in such places raise serious consumer protection concerns, and that FTC staff did find evidence that Accretive engaged in unlawful debt collection practices in Minnesota, the FTC stated it would not recommend an enforcement action at this time. One reason, according to the letter, was that the Minnesota Attorney General already banned Accretive from collection activity in Minnesota pursuant a $2.5 million settlement.