Accretive Health, Inc., a company providing medical billing and revenue management services to hospitals throughout the US. Accretive "has agreed to settle Federal Trade Commission charges that its inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse." This settlement follows a settlement between Accretive and the Minnesota Attorney General for HIPAA violations.


Minnesota Action

The
Accretive saga started in July 2011, when "an Accretive employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota patients of two Minnesota hospital systems . . . in a rental car after 10 p.m." and the laptop was stolen. [1] (See my brief discussion of this case in the October issue of Nephrology News & Issues back in 2012 - "HIPAA: Privacy, Security & the Consequences of a Breach for Dialysis Providers - Part 2: Recommendations to Minimize Exposure to Data Breach-Related Liabilities" (PDF).) (According to the FTC Press Release, while there were 23,500 patients, the laptop contained 20 million pieces of information.)

The laptop contained sensitive patient information, including the
patient’s name, address, date of birth, and Social Security number, as well as highly sensitive patient information, including "a checklist to denote whether the patient has 22 different chronic medical conditions and, if so, the condition of the patient [including] three mental health conditions (depression, bipolar disorder and schizophrenia) [and] HIV." [2]

The Minnesota State Attorney General was particularly concerned about 
Accretive's involvement in the revenue cycle, its "aggressive" debt collection practices, and lack of disclosure to patients. As the AG described: "Accretive has told Wall Street investors that its revenue cycle operations contract starts 'when a patient registers for future service or arrives at a hospital or clinic for an unscheduled visit' and ends when 'the hospital has collected all the appropriate revenue from all possible sources.' Through these contracts, Accretive controls the revenue functions of the hospitals, including front office (patient access), middle office (billing), and back office (collections) functions. It reports to Wall Street investors that it carries out these functions using 'data mining,' 'consumer behavior modeling,' and 'propensity to pay' algorithms."

The AG filed suit in the United States District Court in Minnesota, alleging that Accretive violated state and federal health privacy laws, state debt collection laws, and state consumer protection laws. The AG sought "It seeks an order requiring Accretive to fully disclose to [Minnesota] patients: (1) what information it has...; (2) what information it has lost...; (3) where and to whom it has sent information about [the] patients; [and] (4) the purposes for which it amasses and uses information about Minnesota patients."
A Few Highlights

- The matter came to light in 2011 when an unencrypted laptop containing detailed patient data was stolen out of an employee's car.

- As a result of this incident, Accretive was investigated by both the Minnesota Attorney General and the Federal Trade Commission.

- During the investigation, several practices came to light, including Accretive's lack of HIPAA compliance and its aggressive healthcare debt collection practices.

- The Minnesota AG brought an action pursuant to the HIPAA enforcement authority granted to AGs by the HITECH Act. Accretive is a business associate of a covered entity and, per the HITECH Act, direct enforcement against business associates is permitted.

- The Minnesota AG settled with Accretive in 2012. The settlement required Accretive to cease operations in Minnesota and banned the company from doing business in Minnesota for at least 2 years.

- The FTC brought an action based on Section 5 of the FTC Act, alleging that, Accretive Health created unnecessary risks of unauthorized access or theft of personal information.

- The FTC's action tracks the requirements of HIPAA, and sets forth additional requirements with respect to Accretive's subcontractors.

- The OCR is unlikely to take any action against Accretive.

The lawsuit also asked "Accretive to disclose whether it has sent health data about Minnesota patients to its so-called 'Shared Services Blended Shore Center of Excellence' in New Delhi, India."

Unlike previous State AGs that sought to take action against those who lost patient data, the Minnesota AG relied, at least in part, on the authority grated to state AGs by the HITECH Act to take enforcement action against covered entities and business associates that violated the HIPAA Privacy and Security Rules. [3] This case was also the first example of an enforcement action against a business associate.


The case came to end in July 2013, when Accretive settled wit the Minnesota AG. Compared to the settlements often entered into by the HHS Office of Civil Rights, the Minnesota AG settlement was relatively harsh. Under the settlement, Accretive agreed to "cease all operations in Minnesota within ... 90 days, or by November 1, 2012.  The company [was] then be subject to an outright ban on operating in Minnesota for two years, after which, for the next four years, it can only reenter the State if the Attorney General agrees to a Consent Order regarding its business practices in the State." [4]

The FTC Action

The FTC Action against Accretive stems from the same incident: the loss of the unencrypted laptop.

The FTC brought an action on its enforcement authority under the Section 5 of the FTC Act, prohibits "unfair or deceptive acts or practices in or affecting commerce." [5] In the Complaint, the FTC alleged the following violations:
Until at least July 2011, Accretive failed to provide reasonable and appropriate security for consumers' personal information it collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access. Among other things, Accretive Health created unnecessary risks of unauthorized access or theft of personal information by:
a. Transporting laptops containing personal information in a manner that made them vulnerable to theft or other misappropriation;

b. Failing to adequately restrict access to, or copying of, personal information based on an employee's need tor information;

c. Failing to ensure that employees removed information from their computers for which they no longer had a business need; and

d. Using consumers' personal information in training sessions with employees and failing to ensure that the information was removed from employees' computers following the training. [6]
The behaviors that the FTC identifies as creating "unnecessary risks of unauthorized access or theft" generally align with the types of behaviors that the Office of Civil Rights finds problematic.

Excerpts from the FTC Consent Order

In the Consent Order, the FTC sets forth a number of requires Accretive must undertake:

[E]stablish and implement, and thereafter maintain, or continue to maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program ...shall contain administrative, technical, and physical safeguards appropriate to respondent's size and complexity, the nature and scope of respondent's activities, and the sensitivity of the personal infonnation collected from or about consumers, including:
(1) The designation of an employee or employees to coordinate and be accountable for the information security program;

(2) The identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control the risks. At a minimum, this risk assessment should include consideration of the risks in each relevant area of operations, including but not limited to: (a) employee training and management; (b) information systems, including network and software design, information processing, storage, transmission, and disposal; and (c) prevention, detection, and response to attacks, intrusions, and other system failures;

(3) The design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing and monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;

(4) The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and

(5) The evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by [this Order], any material changes to operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have material impact on the effectiveness of the information security program. [7]
The FTC's consent order mirrors some of the HIPAA requirements, including, for example, undertaking a risk assessment, develop appropriate measures to address issues identified in the risk assessment, and designate a responsible individual. But, this Order also imposes additional requirements with respect to subcontractors that are beyond what is required by HIPAA, in that the Order requires for the "development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from" Accretive. Under HIPAA business associates are only required to obtain "reasonable assurances" in the form of a written agreement. As such, the FTC's language seems to suggest a requirement of more than a written agreement.

Like other FTC orders, this one too is in effect for a period of 20 years.

Where is the Office of Civil Rights?

The Office of Civil Rights (OCR) is unlikely to take any action against Accretive as a result of the data breach. P
art of the reason that the HITECH Act specifically extended enforcement authority over business associates was to overcome an interpretation released by the Department of Justice many years ago that HHS lacked direct enforcement authority over business associates.

Leon Rodriguez, the Director of OCR, has previously stated that the OCR will not be taking enforcement actions against business associates until after HHS releases the revised HIPAA Rules (revised pursuant to HITECH) and the Rules come into effect. The HIPAA Omnibus Rule was not released until January 2013 and the compliance period came into effect in September 2013. But, the Accretive breach happened in July 2011. This may explain why the FTC Order tracks HIPAA so closely.


There are a number of legal take-a-ways from the FTC's latest action.
  • The FTC Consent Order requirements may track HIPAA requirements, including undertaking a risk assessment.
  • The FTC appears to be requiring Accretive to undertake some sort of vetting process of subcontractors to ensure that they are "capable of appropriately safeguarding personal information they receive from" Accretive, in addition to entering into business associate agreements.
  • In some respects, it would have been better for Accretive if it was OCR that brought an action because OCR's resolution agreements are generally for about 5 years. But, the FTC's agreement is for 20 years.
Similar to the recent action by OCR against Adult & Pediatric Dermatology, P.C., a dermatology practice delivering services in Massachusetts and New Hampshire, this is another breach that could have been avoided with the use of encryption on portable devices, including laptops. 

-----------------
[1] Press Release
, Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations: Debt Collector Lost Laptop Containing Sensitive Data on 23,500 Minnesota Patients, https://www.ag.state.mn.us/consumer/pressrelease/120119accretivehealth.asp (last visited Jan. 2, 2014).

[2] Id.

[3]
Complaint, State of Minnesota by its Attorney General Lori Swanson v. Accretive Health, Inc., Civil File No. ___ (D. Minn. Jan. 19, 2012) ("Count 1: Violations of HIPAA. Accretive is business associate of both Fairview and North Memorial as defined in HIPAA. See, e.g., 45 C.F.R. § 160.103. Because HITECH Section 13401 (42U.S.C. § 17931) provides that 45 C.F.R. §§ 164.308, .310, .312 and .316 apply to a business associate of a covered entity in the same manner as they would to a covered entity, Accretive is thus subject to the security provisions contained within HIPAA as well as applicable civil and criminal penalties.")

[4]
Press Release, Minnesota Attorney General, Attorney General Swanson Says Accretive Will Cease Operations in the State of Minnesota Under Settlement of Federal Lawsuit, Cannot Reenter Minnesota For Six Years Without Attorney General’s Agreement, https://www.ag.state.mn.us/consumer/pressrelease/07312012accretiveceaseoperations.asp (last visited Jan. 2, 2014).

[5] In the Matter of Accretive Health, Inc., FTC Complaint, Docket No. ___ (File. no. 122 3077) (Dec. 31, 2013), available at https://www.ftc.gov/enforcement/cases-and-proceedings/cases/122-3077/accretive-health-inc.

[6] Id. at para. 6

[7]
In the Matter of Accretive Health, Inc., FTC Order, Docket No. ___ (File. no. 122 3077) (Dec. 31, 2013), available at https://www.ftc.gov/enforcement/cases-and-proceedings/cases/122-3077/accretive-health-inc.

FTC's Press Release - https://www.ftc.gov/news-events/press-releases/2013/12/accretive-health-settles-ftc-charges-it-failed-adequately-protect.