Failure To Protect Data May Be an Unfair Business Practice

The Federal Trade Commission (FTC) has announced settlement of charges against Accretive Health, Inc. The FTC had alleged that Accretive engaged in an unfair business practice when it failed "to employ reasonable and appropriate measures to protect personal information against unauthorized access."

Accretive Health is a Chicago-based medical billing and revenue management service company. The FTC alleged that it violated Section 5 of the FTC Act by failing to adequately safeguard and prevent the theft of an employee laptop containing unencrypted personal data about 23,000 patients. The data included names, billing information, diagnostic information and Social Security numbers — all of which the FTC argued was not necessary for the employee to perform his job.

The FTC alleged that Accretive Health created unnecessary risks and thereby engaged in an unfair practice by

  • Allowing the transport of laptops containing sensitive personal information in a manner that exposed them to theft or misappropriation;
  • Failing to adequately restrict access to sensitive personal information;
  • Failing to ensure removal of unnecessary information from employee computers; and
  • Using sensitive personal information in training sessions and failing to confirm removal of the information from employees' computers upon the conclusion of the training.

The settlement requires Accretive Health to implement a comprehensive information security program to be reviewed every two years for the next 20 years.

Numerous regulatory agencies are focusing unprecedented attention on enforcement of a multitude of rules and regulations that dictate the measures organizations must take to protect customer and patient information. Noncompliance and security breaches may result in costly penalties and the irrecoverable loss of customer confidence.

Topics:  Data Protection, FTC, Personally Identifiable Information, PHI, Unfair or Deceptive Trade Practices

Published In: Antitrust & Trade Regulation Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WeComply, a Thomson Reuters business | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »