Privacy & Cybersecurity Law Blog

On July 31, 2012, Minnesota Attorney General Lori Swanson announced a $2.5 million settlement with Accretive Health, Inc. (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, and various Minnesota debt collection and consumer protection laws. As we previously reported in January 2012, Accretive, which acted as a business associate to two Minnesota hospital systems, experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

Under the terms of the settlement, Accretive will be banned from operating in Minnesota for two years and mayresume operations after that periodonly if the Minnesota Attorney General agrees to a consent order with Accretive at that time. In addition to paying $2.5 million, which will be used to compensate patients affected by the breach, Accretive must return all data about Minnesota patients to the relevant hospitals.

On August 7, 2012, the United States District Court for the District of Minnesota officially dismissed the claims against Accretive pursuant to the stipulation of dismissal that was filed along with the settlement agreement. Although Minnesota debt collection and consumer protection laws were at issue in this case, the $2.5 million settlement amount is nonetheless notable as it is greater than all but one other HIPAA enforcement action brought by the Department of Health and Human Services – a $4.3 million civil monetary penalty imposed against Cignet Health in February 2011.