The Federal Trade Commission
said today that Accretive Health
agreed to a settlement that will end an inquiry into allegations the company did not do enough to protect consumers' health information.
Accretive Health helps hospitals manage billing, collections and other financial matters. The proposed settlement calls for the company to establish a comprehensive information security
program to protect sensitive information. The program will be evaluated by a third party when it is created, and that third party will evaluate the program every two years. The FTC said the settlement will be in force for the next 20 years.
The public will have 30 days to comment on the agreement, and the FTC will decide whether to make the proposal final after that.
The FTC's inquiry stems from a 2011 incident in which a laptop was stolen from an Accretive employee's car. The laptop contained the data of 23,500 patients.
"The Commission alleges that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft," the FTC said in a statement.
The agency also said Accretive did not do enough to make sure employees removed consumer health information from their computers after employees didn't need the information anymore, didn't adequately restrict employee access to personal information, and failed to remove consumer information from employees' computers after training sessions.
An investigation into the theft of the laptop revealed that the Chicago company had access to patient data through contracts with the hospitals, and it used that data used that data to assess patients' risk of becoming hospitalized.
Minnesota Attorney General Lori Swanson sued Accretive in 2012, accusing the company of using high-pressure tactics to get patients at Minnesota hospitals to pay before treatment was given. A report from Swanson's office also accused Accretive of misusing private patient information and creating an atmosphere in which employees were coached to aggressively collect debt.
Accretive agreed to pay $2.5 million in restitution for patients and return data to client hospitals. It also agreed to stop doing business in Minnesota for at least two years.