Accretive Health Settles FTC Allegations of Lax Security for Consumer Information

Medical billing firm Accretive Health Inc. will launch an information security program aimed at protecting consumer information as part of a recent settlement with the U.S. Federal Trade Commission. The FTC had previously alleged that the firm had violated the FTC Act due to its failure to provide adequate security for consumer information it collected and maintained. Accretive Health has agreed to measures including the designation of an employee to coordinate and be accountable for the information security program and the identification of internal and external risks for areas such as employee training, network and software design, and prevention and detection of attacks. Under the terms of the agreement, Accretive Health also will design and implement safeguards to control any risks identified and to regularly test the safeguards’ effectiveness. Additionally, Accretive Health agreed to initial and biennial third-party auditing of their security measures and to maintain those records and make them available to the FTC upon request. The settlement will be in effect for 20 years.  Accretive Health had faced charges that it created unnecessary risk of unauthorized access or theft by transporting laptops in a manner that made them vulnerable to theft, failing to restrict access to and copying of personal information, failing to ensure that information for which there was no longer a business need was removed from the laptops, and using consumers’ personal information in training sessions with employees and failing to remove that information following training. Alleged security issues at Accretive Health drew attention following a July 2011 incident where an Accretive Health laptop containing over 600 files of data with information related to 23,000 patients was stolen from an employee’s car.

Tip: Companies should be sure to consider and include laptop and mobile device usage in their security policies.