Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Jan. 2 --A medical billing and revenue management services provider with “access to a wealth of personal information about the patients of its hospital clients” must implement a comprehensive data security program to protect consumers' personal information, pursuant to a proposed no fault administrative consent order accepted Dec. 31 by the Federal Trade Commission (In re Accretive Health, Inc., FTC, No. 1223077, consent order proposed 12/31/13).
Chicago-based Accretive Health Inc. has access to “sensitive personal health information,” which “may include patient names, dates of birth, billing information, diagnostic information, and Social Security numbers,” the FTC said in its draft complaint.
The FTC's draft complaint alleged that Accretive Health violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), by failing “to employ reasonable and appropriate measures to protect personal information against unauthorized access.”
The complaint contended that “inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse,” which the FTC said was an unfair business practice.
The FTC's reliance on the unfairness prong of Section 5 of the FTC Act for data security enforcement actions is under attack by some companies.
LabMD Inc. filed a federal court complaint challenging an unfairness prong administrative enforcement action by the FTC similar to that in the Accretive action (12 PVLR 1989, 11/25/13). LabMD alleged that the commission engaged in an “extralegal abuse of government power” through its use of the unfairness prong.
Hotelier Wyndham Worldwide Corp. earlier filed a motion to dismiss a federal court complaint. After recent oral arguments on Wyndham's motion to dismiss the FTC's lawsuit alleging that its security practices failed to prevent a series of customer data breaches, the court refused the company's request to stay discovery (12 PVLR 1946, 11/18/13).
Both companies assert that the FTC's reading of its unfairness authority exceeds what Congress intended.
The draft complaint alleged that Accretive Health created unnecessary risks of unauthorized access or theft of personal information by:
• transporting laptops containing personal information in a manner that made them vulnerable to theft or misappropriation;
• failing to adequately restrict access to, or copying of, personal information based on an employee's need for information;
• failing to ensure that employees removed information from their computers for which they no longer had a business need; and
• using consumers' personal information in training sessions with employees and failing to ensure that the information was removed from employees' computers following the training.
The draft compliant cited a July 2011 data breach incident involving the theft in Minneapolis from an Accretive employee's car of a laptop containing sensitive personal and health data on 23,000 patients.
The Minnesota office of attorney general filed a federal court complaint against Accretive as the business associate of the Health Insurance Portability and Accountability Act covered entity hospital where the patients were treated (11 PVLR 198, 1/30/12). The state enforcement action was the first filed directly by a state against a business associate under new enforcement powers authorized by the Health Information Technology for Economic and Clinical Health Act.
Accretive and Minnesota eventually settled that litigation, with Accretive agreeing to pull out of Minnesota and refrain from doing business in the state for six year and pay the state slightly less than $2.5 million (11 PVLR 1238, 8/6/12).
Here, the FTC alleged that Accretive Health “created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.”
The proposed consent order would require Accretive Health to establish and maintain “a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”
This program “shall contain administrative, technical, and physical safeguards appropriate to respondent's size and complexity, the nature and scope of respondent's activities, and the sensitivity of the personal information collected from or about consumers.”
In particular, the proposed order would require Accretive Health to:
• designate an employee or employees to coordinate and be accountable for the information security program;
• identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks;
• design and implement reasonable safeguards to control the risks identified through risk assessment and regularly test or monitor the effectiveness of the safeguards' key controls, systems and procedures;
• develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Accretive Health and require service providers by contract to implement and maintain appropriate safeguards; and
• evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to operations or business arrangement or any other circumstances that it knows or has reason to know may have a material impact on its information security program.
The company also would be required to have the program evaluated both initially and every two years by a certified third party. The provisions will apply to Accretive Health's operations for the next 20 years.
The FTC released an analysis of the proposed consent order to assist the public in furnishing comments. Public comments are due by Jan. 30.
Andrew Clubok of Kirkland & Ellis LLP, in New York, and Marimichael Skubel and Nina Frant of the firm's Washington office, represented Accretive. Katherine Armstrong, Allison Lefrak and David W. Lincicum of the FTC Bureau of Consumer Protection, in Washington, represented the commission.
The proposed consent order is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthorder.pdf.
The draft complaint is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthcmpt.pdf.
The analysis of the proposed settlement is available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthanal.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)