The Federal Trade Commission (FTC) has announced settlement of charges against Accretive Health, Inc. The FTC had alleged that Accretive engaged in an unfair business practice when it failed "to employ reasonable and appropriate measures to protect personal information against unauthorized access."
Accretive Health is a Chicago-based medical billing and revenue management service company. The FTC alleged that it violated Section 5 of the FTC Act by failing to adequately safeguard and prevent the theft of an employee laptop containing unencrypted personal data about 23,000 patients. The data included names, billing information, diagnostic information and Social Security numbers — all of which the FTC argued was not necessary for the employee to perform his job.
The FTC alleged that Accretive Health created unnecessary risks and thereby engaged in an unfair practice by
Allowing the transport of laptops containing sensitive personal information in a manner that exposed them to theft or misappropriation;
Failing to adequately restrict access to sensitive personal information;
Failing to ensure removal of unnecessary information from employee computers; and
Using sensitive personal information in training sessions and failing to confirm removal of the information from employees' computers upon the conclusion of the training.
The settlement requires Accretive Health to implement a comprehensive information security program to be reviewed every two years for the next 20 years.
Numerous regulatory agencies are focusing unprecedented attention on enforcement of a multitude of rules and regulations that dictate the measures organizations must take to protect customer and patient information. Noncompliance and security breaches may result in costly penalties and the irrecoverable loss of customer confidence.