On December 31, 2013, the Federal Trade Commission announced that Accretive Health, Inc. (“Accretive”) has agreed to settle charges that the company’s inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse. Accretive experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.
The FTC alleged that Accretive failed to (1) provide reasonable and appropriate security measures to protect consumers’ personal information, (2) employ reasonable procedures designed to ensure that employees remove consumers’ personal information that they no longer needed from their computers, and (3) adequately restrict employee access to consumers’ personal information based on an employee’s need for the information. Under the terms of the settlement with the FTC, which will be in force for 20 years, Accretive must establish a comprehensive information security program that will be evaluated both initially and every two years by a certified, independent third party.
On July 31, 2012, Accretive settled a federal lawsuit with the Minnesota Attorney General for $2.5 million for violations of the Health Insurance Portability and Accountability Act of 1996 and various Minnesota debt collection and consumer protection laws relating to the same incident.
The settlement is open for public comment until January 30, 2014.
Update: On February 24, 2014, the FTC approved the final consent order with Accretive.