Accretive Health Reaches Accord With FTC Over Adequacy of Data Security Measures

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Jan. 2 --A medical billing and revenue management services provider with “access to a wealth of personal information about the patients of its hospital clients” must implement a comprehensive data security program to protect consumers' personal information, pursuant to a proposed no fault administrative consent order accepted Dec. 31 by the Federal Trade Commission (In re Accretive Health, Inc., FTC, No. 1223077, consent order proposed 12/31/13).

Chicago-based Accretive Health Inc. has access to “sensitive personal health information,” which “may include patient names, dates of birth, billing information, diagnostic information, and Social Security numbers,” the FTC said in its draft complaint.

The FTC's draft complaint alleged that Accretive Health violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), by failing “to employ reasonable and appropriate measures to protect personal information against unauthorized access.”

Unfairness Prong Cited

The complaint contended that “inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse,” which the FTC said was an unfair business practice.

The FTC's reliance on the unfairness prong of Section 5 of the FTC Act for data security enforcement actions is under attack by some companies.

LabMD Inc. filed a federal court complaint challenging an unfairness prong administrative enforcement action by the FTC similar to that in the Accretive action (12 PVLR 1989, 11/25/13). LabMD alleged that the commission engaged in an “extralegal abuse of government power” through its use of the unfairness prong.

Hotelier Wyndham Worldwide Corp. earlier filed a motion to dismiss a federal court complaint. After recent oral arguments on Wyndham's motion to dismiss the FTC's lawsuit alleging that its security practices failed to prevent a series of customer data breaches, the court refused the company's request to stay discovery (12 PVLR 1946, 11/18/13).

Both companies assert that the FTC's reading of its unfairness authority exceeds what Congress intended.

Lax Data Security Alleged

The draft complaint alleged that Accretive Health created unnecessary risks of unauthorized access or theft of personal information by:

• transporting laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;

• failing to adequately restrict access to, or copying of, personal information based on an employee's need for information;

• failing to ensure that employees removed information from their computers for which they no longer had a business need; and

• using consumers' personal information in training sessions with employees and failing to ensure that the information was removed from employees' computers following the training.

 

The draft compliant cited a July 2011 data breach incident involving the theft in Minneapolis from an Accretive employee's car of a laptop containing sensitive personal and health data on 23,000 patients.

The Minnesota office of attorney general filed a federal court complaint against Accretive as the business associate of the Health Insurance Portability and Accountability Act covered entity hospital where the patients were treated (11 PVLR 198, 1/30/12). The state enforcement action was the first filed directly by a state against a business associate under new enforcement powers authorized by the Health Information Technology for Economic and Clinical Health Act.

Accretive and Minnesota eventually settled that litigation, with Accretive agreeing to pull out of Minnesota and refrain from doing business in the state for six year and pay the state slightly less than $2.5 million (11 PVLR 1238, 8/6/12).

Here, the FTC alleged that Accretive Health “created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.”

Proposed Settlement

The proposed consent order would require Accretive Health to establish and maintain “a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”

This program “shall contain administrative, technical, and physical safeguards appropriate to respondent's size and complexity, the nature and scope of respondent's activities, and the sensitivity of the personal information collected from or about consumers.”

In particular, the proposed order would require Accretive Health to:

• designate an employee or employees to coordinate and be accountable for the information security program;

• identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks;

• design and implement reasonable safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards' key controls, systems and procedures;

• develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Accretive Health and require service providers by contract to implement and maintain appropriate safeguards; and

• evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

 

The company also would be required to have the program evaluated both initially and every two years by a certified third party. The provisions will apply to Accretive Health's operations for the next 20 years.

The FTC released an analysis of the proposed consent order to assist the public in furnishing comments. Public comments are due by Jan. 30.

Andrew Clubok of Kirkland & Ellis LLP, in New York, and Marimichael Skubel and Nina Frant of the firm's Washington office, represented Accretive. Katherine Armstrong, Allison Lefrak and David W. Lincicum of the FTC Bureau of Consumer Protection, in Washington, represented the commission.


The proposed consent order is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthorder.pdf.

The draft complaint is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthcmpt.pdf.

The analysis of the proposed settlement is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthanal.pdf.