Accretive Health Sued for Loss of Electronic Patient Data

After a laptop containing several thousand hospital records was lost, Accretive Health has
been taken to court by the Minnesota Attorney General.  In addition to being charged with violations of HIPAA regulations, Accretive Health is facing charges of  consumer fraud and deceptive practices.

On January 19, the Minnesota Attorney General filed a civil lawsuit against the business associate,
Accretive Health, Inc., after one of their employees lost a laptop containing personal and health
details for up to 23,000 patients from the company’s medical clients.

Accretive Health had been hired to undertake a “Quality and Total Cost of Care” service agreement for
two hospitals, managing their revenue cycle process in exchange for certain incentive payments.
During this time, the aforementioned laptop was stolen from a car owned by one of Accretive’s
employees.

In the lawsuit, the Attorney General states that the business failed to implement the proper
encryption measures when it came to securing the information on the stolen laptop. It is also alleged
that the company failed to notify patients about its role in the hospitals’ revenue cycle processes,
violating several consumer fraud and deceptive practices laws as well.

Accretive now faces a penalty of up to $25,000 per year as well as potential financial liability and loss
of reputation. This new case reinforces the risks that business associates face in the event of a data
breach, not to mention the severe scrutiny that they will be put under should this type of scenario occur.

For more info, visit http://view.exacttarget.com/?
j=fe5316787267057a7d1c&m=ff021575766606&ls=fdf412767d62057f7c147171&l=fecc1174776700
7c&s=fdf815757d65017b76177173&jb=ffcf14&ju=fe2117727d630274771479&&elq_mid=17256&el
q_cid=1094517#MINNESOTA

Share
2 Responses to “Accretive Health Sued for Loss of Electronic Patient Data”
  1. carol walters 30 May 2012 at 9:45 am #

    In the case of the lost/stolen laptop computer: if the computer is password protected, wouldn’t that be enough protection? OR does the PHI still need to be encrypted in spite of password protection?

  2. Jon Stone 6 June 2012 at 1:49 pm #

    The HIPAA Security Regulations do not explicitly require encryption. BUT! Encryption is a highly effective control for safeguarding ePHI especially on laptops. In America Business Laptops are stolen or lost every day . In a recent study of laptop loss in the United States, conducted by Ponemon, they found that the problem led to losses of $2.1 billion for surveyed companies, or $6.4 million per business. In the study, 329 organizations surveyed lost more than 86,000 laptops over the course of a year. From a business risk management perspective I would highly recommend encryption for laptop devices. Given these frightening statistics I say get encryption for laptops.

    Jon Stone
    VP Product Development

Leave a Reply