On New Year’s Eve, the Federal Trade Commission (“FTC” or “Commission”) announced that it had approved, 4-0, a settlement with Accretive Health, Inc. – a provider of medical billing and revenue services to hospitals nationwide – resolving allegations that the company failed to adequately protect sensitive consumer information, which resulted in a 2011 data breach. The settlement agreement does not impose a civil penalty, but Accretive Health is required to establish and implement a comprehensive information security program.
In the complaint, the FTC alleges that Accretive Health failed to implement reasonable and appropriate security measures and procedures to protect the personal information, which included sensitive health information, such as medical diagnostic information, billing information, and names, dates of birth, and Social Security numbers, of the patients of the company’s hospital clients. The FTC also claims that this failure led to an incident in July 2011, in which a laptop containing the sensitive information of 23,000 patients was stolen from an employee’s car. Permitting employees to transport laptops containing such sensitive personal information created unnecessary risks and exposed the company to theft, the FTC stated. Additionally, Accretive’s security procedures should have prevented employees from retaining consumers’ personal information when no longer needed and placed need-based restrictions on access to personal information.
Under the terms of the consent order, Accretive Health must establish, implement, and maintain a comprehensive information security program reasonably designed to protect consumers’ personal information. The program must: (1) designate an employee responsible and accountable for the program; (2) identify material and external risks that could result in a breach of security, and assess the adequacy of any safeguards; (3) design, implement, and regularly test and monitor the effectiveness of reasonable safeguards; (4) develop and use reasonable steps to select service providers capable of appropriately safeguarding personal information; and (5) evaluate and adjust the program in light of the required testing and monitoring. Additionally, the order requires a certified third party to evaluate the information security program initially and biannually for the next 20 years.
The complaint – the latest data security action the Commission has publicized – alleges that Accretive Health’s lack of adequate security measures constitutes an unfair practice, in violation of Section 5(a) of the FTC Act. This action serves as a reminder to companies that the FTC will continue to exercise its data security enforcement authority under the unfairness prong of Section 5, despite the challenges in court to that authority from Wyndham Worldwide and others.