When a data oops becomes an uh-oh
We’ve said it before, but it bears repeating: Glitch Happens. In the case of Accretive Health, Inc., it was a laptop taken from the passenger compartment of an employee’s car. What transformed this oops into a full-fledged uh-oh was that the laptop contained files with 20 million pieces of data about 23,000 patients, including sensitive health information. And according to the FTC’s lawsuit, the employee in question didn’t need all that to do his job. But that’s not the only point businesses can take from the announcement. If you have clients in the debt collection industry, be sure to read a just-released staff letter about Accretive’s conduct in collecting debts in hospital emergency rooms.
Chicago-based Accretive provides “revenue cycle” services to hospitals across the country. With employees assigned onsite at the hospital, the company covers the financial waterfront with services related to registration, transcription, coding, billing, strategic pricing, and collection of past due accounts. As a service provider, Accretive has access to tons of information about patients, including names, diagnoses, and Social Security numbers.
The FTC’s complaint mentions the incident with the missing laptop, but the allegations are broader than that. The FTC charged that Accretive engaged in a number of practices that, taken together, unreasonably and unnecessarily exposed sensitive consumer information to unauthorized access. According to the complaint, Accretive’s failure to provide reasonable and appropriate security for the personal data it had access to amounted to an unfair trade practice, in violation of the FTC Act.
A look at Accretive’s alleged lapses is illustrative. Specifically, the complaint charged that the company created unnecessary risks by:
- Transporting laptops containing personal information in a way that made them vulnerable to theft or misappropriation;
- Failing to limit access to consumers’ personal information to employees who really needed it to do their jobs;
- Failing to see to it that employees securely remove sensitive information from their computers once there’s no longer a business need; and
- Failing to remove consumers’ personal information from employees’ computers after it was used for staff training sessions.
To settle the case, Accretive has agreed to put a comprehensive information security program in place. Under the proposed order, the FTC will monitor the company's compliance, but Accretive also will need to get the program evaluated and certified by a qualified, independent professional every two years for the next 20 years. Interested in commenting about the proposed order? File by the January 30, 2014, deadline.
Now for the debt collection angle. The FTC staff just released a letter to Accretive addressing emergency room debt collection, conduct the staff said “raise[s] serious consumer protection concerns.” One major issue: People may be deterred from seeking necessarily medical care if they fear they’ll be confronted with debts they can’t pay. Furthermore, it’s unlikely that people waiting for emergency care have the paperwork handy to challenge the validity of a purported debt or assess their ability to make payments. As the letter concludes, “debt collectors or other entities that engage in this activity may violated the FDCPA and/or the FTC Act.”
That said, the staff decided to close its investigation of Accretive’s emergency room debt collection practices. Although the letter cites indications that Accretive used unlawful tactics in Minnesota – conduct that led to a $2.5 million settlement with the State Attorney General and a ban on debt collection in that state – staff’s investigation revealed very little evidence that the company used the same tactics in other parts of the country. The letter ended with a reminder to Accretive not to interpret the closing of an investigation as a finding that all is OK: “The Commission reserves the right to take further action as the public interest may require.”
The message for businesses? First, the FTC has been steadfast in calling on companies to adopt sensible data security policies appropriate to the kind of information involved. If your business collects consumer health data – or if you have access to it as a service provider – now is a good time for a check-up.
Second, if employees’ duties don’t require them to deal with sensitive information, the data shouldn’t be available to them in the first place. Prudent companies don’t grant “all-access passes” without a sound business reason.
Third, the Fair Debt Collection Practice Act prohibits debt collectors from communicating with consumers about debt “at any unusual time or place or a time or place known or which should be known to be inconvenient to the consumers.” Could there be a less convenient time than in a hospital emergency room?