Medical billing firm Accretive Health Inc. must establish a comprehensive information security program under terms of a settlement in an incident in which a laptop computer containing information on 23,000 patients was stolen from an automobile.
In the July 2011 Minneapolis incident, an Accretive employee's laptop containing 20 million pieces of information was stolen from the employee's car, the FTC said.
The settlement does not provide for payment of fines, said a spokeswoman for the Federal Trade Commission.
In a statement Tuesday, the FTC said it had charged Chicago-based Accretive in its complaint with failing to provide reasonable and appropriate security measures and procedures to protect consumers' personal information, including sensitive personal health information.
The FTC alleged that Accretive had created unnecessary risk by transporting laptops containing personal information in a way that left them vulnerable to theft, among other allegations.
The agreement will be subject to public comment through Jan. 30, after which the commission will decide whether to make the proposed consent order final, the FTC said.
In a statement, Accretive said it is pleased to have reached the agreement.
“Accretive Health sets the highest standards of privacy and security for our customers. Recognizing that information security is a dynamic process, we continuously add redundancies to our data security polices to improve protections,” according to the statement.
Accretive also said that in January 2013, it achieved certification under the Frisco, Texas-based Health Information Trust Alliance, which “assures that Accretive Health is meeting the health care industry's highest standards in managing risk and protecting health information.”
In a separate incident, Accretive Health in July 2012 said that it would wind down its Minnesota operations to settle a six-month-old lawsuit by the state in which it was accused of
violating state and federal health privacy laws through aggressive debt collection tactics.
The FTC said Tuesday that its staff had sent a letter to Accretive indicating it would not recommend an enforcement action related to allegations concerning debt collection practices in hospitals.
While the FTC staff is not recommending a Fair Debt Collection Practices Act case against Accretive at this time, “the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility raises serious concerns,” according to the letter.