Accretive Health Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information

UNITED STATES OF AMERICA, BEFORE THE FEDERAL TRADE COMMISSION

Commissioners: Edith Ramirez, Chairwoman, Julie Brill, Maureen K. Ohlhausen, Joshua D. Wright

In the Matter of ACCRETIVE HEALTH, INC. 

DOCKET NO. C-4432

COMPLAINT

The Federal Trade Commission (“Commission”), having reason to believe that Accretive Health, Inc. has violated the provisions of the Federal Trade Commission Act (“FTC Act”), and it appearing to the Commission that the proceeding is in the public interest, alleges:

• Respondent Accretive Health, Inc. (“Accretive Health” or “Respondent”) is a Delaware corporation with its principal executive office located at 401 North Michigan Avenue, Suite 2700, Chicago, Illinois.

• The acts or practices of Accretive Health as alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. §44.

ACCRETIVE HEALTH’S BUSINESS ACTIVITIES

• Accretive Health enters into service agreements with hospital systems around the country to provide services related to the hospital systems’ “revenue cycle” operations. Revenue cycle includes registration, transcription, coding and medical documentation, billing, denial management, strategic pricing, and collection of past due accounts. In exchange for these services, hospital systems pay Accretive Health both fixed fees and incentive payments based on a percentage of the monetary benefit from increased revenues.

• Accretive Health provides services through technology, operating methodology, and by placing some revenue cycle managers into the hospital system’s existing processes to augment its revenue cycle operations. Accretive Health employees work at hospital facilities to assist with these services.

RESPONDENT’S SECURITY PRACTICES

• As part of its service to client hospitals, Accretive Health collects, maintains, and has access to information about hospitals’ patients, including personal information. This information may include patient names, dates of birth, billing information, diagnostic information, and Social Security numbers.

• Until at least July 2011, Accretive failed to provide reasonable and appropriate security for consumers’ personal information it collected and maintained by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access. Among other things, Accretive Health created unnecessary risks of unauthorized access or theft of personal information by:

  • Transporting laptops containing personal information in a manner that made them vulnerable to theft or other misappropriation;
  • Failing to adequately restrict access to, or copying of, personal information based on an employee’s need for information;
  • Failing to ensure that employees removed information from their computers for which they no longer had a business need; and
  • Using consumers’ personal information in training sessions with employees and failing to ensure that the information was removed from employees’ computers following the training.

• Accretive Health’s failures to provide reasonable and appropriate security for consumers’ personal information resulted in a July 2011 incident in Minneapolis, Minnesota in which an Accretive Health laptop containing over 600 files with over 20 million pieces of information related to 23,000 patients was left in the locked passenger compartment of the employee’s car and stolen. The laptop included sensitive personal and health information, including patient names, dates of birth, billing information, diagnostic information, and Social Security numbers. The user of this laptop had data that was not necessary to perform his job.

VIOLATIONS OF THE FTC ACT

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.”

• As set forth in Paragraphs 6 and 7, Respondent failed to employ reasonable and appropriate measures to protect personal information against unauthorized access. Respondent’s practices caused, or are likely to cause, substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. These practices were, and are, an unfair act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

THEREFORE, the Federal Trade Commission, this fifth day of February, 2014, has issued this complaint against Accretive Health.

By the Commission.

DECISION AND ORDER

The Federal Trade Commission ("Commission" or "FTC"), having initiated an investigation of certain acts and practices of the respondent named in the caption hereof, and the respondent having been furnished thereafter with a copy of a draft complaint that the Bureau of Consumer Protection proposed to present to the Commission for its consideration and which, if issued by the Commission, would charge respondent with violations of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. $ 45 et seg.;

The respondent, its attorney, and counsel for the Commission having thereafter executed an Agreement Containing Consent Order ("Consent Agreement*), which includes: a statement by respondent that it neither admits nor denies any of the allegations in the draft complaint, except as specifically stated in the Consent Agreement, and, only for purposes of this action, admits the facts necessary to establish jurisdiction; and waivers and other provisions as required by the Commission's Rules; and

The Commission having thereafter considered the matter and having determined that it had reason to believe that the respondent has violated the FTC Act, and that a complaint should issue stating its charges in that respect, and having thereupon accepted the executed consent agreement and placed such agreement on the public record for a period of thirty (30) days for the receipt and consideration of public comments, and having duly considered the comments received from interested persons pursuant to Commission Rule 2.34, 16 C.F.R. § 2.34, now in further conformity with the procedure prescribed in Commission Rule 2.34, the Commission hereby issues its complaint, makes the following jurisdictional findings, and enters the following Decision and Order ("Order"):

• Respondent Accretive Health, Inc. ("Accretive Health" or "Respondent) is a Delaware corporation with its principal executive office located at 401 North Michigan Avenue, Suite 2700, Chicago, Illinois.
• The Federal Trade Commission has jurisdiction of the subject matter of this proceeding and of the respondent, and the proceeding is in the public interest.

ORDER

I.

DEFINITIONS


For purposes of this Order, the following definitions shall apply:

• Unless otherwise specified, “respondent” shall mean Accretive Health, and its successors and assigns.
 
• “Personal Information” means individually identifiable information from or about an individual consumer, including but not limited to: (a) a first and last name; (b) a home or other physical address; (c) an email address or other online contact information, such as instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license or other state-issued identification number; (g) a financial institution account number; (h) an insurance account number or other insurance information; (i) credit or debit card information; (j) a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, or a processor serial number; or (k) any information that is combined with any of (a) through (j) above.
• “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.

II.


IT IS ORDERED that respondent shall, no later than the date of entry of this Order, establish and implement, and thereafter maintain, or continue to maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:

• The designation of an employee or employees to coordinate and be accountable
  for the information security program;
• The identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and the assessment of the sufficiency of any safeguards in place to control the risks. At a minimum, this risk assessment should include consideration of the risks in each relevant area of operations, including but not limited to: (a) employee training and management; (b) information systems, including network and software design, information processing, storage, transmission, and disposal; and (c) prevention, detection, and response to attacks, intrusions, and other system failures;
• The design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing and monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
• The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
•  The evaluation and adjustment of the information security program in light of the results of the testing and monitoring required by Paragraph 3 of this Section, any material changes to operations or business arrangements, or any other circumstances that Defendant knows or has reason to know may have material impact on the effectiveness of the information security program.
  
  

III.

• Set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;
• Explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers;
• Explain how the safeguards that have been implemented meet or exceed the protections required by Section II of the Order; and
• Certify that Respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has so operated throughout the reporting period.

IV.

• For a period of three (3) years after the date of preparation of each Assessment required under Section III of the Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of respondent, including but not limited to, all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to Respondent’s compliance with Section II of this order, for the compliance period covered by such Assessment;
• Unless covered by IV.1, for a period of five (5) years from the date of preparation or dissemination, whichever is later, a print or electronic copy of each document relating to compliance with this Order, including but not limited to documents, whether prepared by or on behalf of Respondent, that contradict, qualify, or call into question compliance with the Order.

V.

IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future subsidiaries, current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current subsidiaries and personnel within thirty (30) days after service of this order, and to such future subsidiaries and personnel within thirty (30) days after the person assumes such position or responsibilities. For any business entity resulting from any change in structure set forth in Part VI, delivery shall be at least ten (10) days prior to the change in structure. Respondent must secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days of delivery, from all persons receiving a copy of the order pursuant to this section.


VI.


IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation(s) about which respondent learns fewer than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. Unless otherwise directed by a representative of the Commission, all notices required by this Part shall be sent by overnight courier (not the U.S. Postal Service) to the Associate Director of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580, with the subject line *In the matter of Accretive Health, Inc.*, FTC File No. 1223077. Provided, however, that in lieu of overnight courier, notices may be sent by first-class mail, but only if an electronic version of any such notice is contemporaneously sent to the Commission at Debrief@ftc.gov.

VII.


IT IS FURTHER ORDERED that Respondent, within sixty (60) days after the date of service of this Order, shall file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form of its compliance with this Order. Within ten (10) days of receipt of written notice from a representative of the Commission, it shall submit additional true and accurate written reports.


VIII.

• Any part in this Order that terminates in less than twenty (20) years; and
• this order’s application to any respondent that is not named as a defendant in such complaint; and
• This order if such complaint is filed after the order has terminated pursuant to this part.


Provided, further, that if such complaint is dismissed or a federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission.

ISSUED:  February 5, 2014