Privacy & Information Security Law Blog

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

Accretive, a licensed debt collector in Minnesota, provides revenue and cost management services to two Minnesota hospital systems by grading patients according to their risk of hospitalization, compiling profit and loss reports at the patient level, and identifying “real-time interventions with significant revenue or cost impact.” In providing these services to the hospitals, Accretive was a business associate pursuant to the HIPAA Privacy Rule and gained widespread access to patient PHI. This PHI included a patient’s name, address, Social Security number and medical condition, such as whether the patient suffers from depression, is HIV-positive or has diabetes.

In the complaint, Attorney General Swanson is requesting that the District Court enjoin Accretive from violating the HIPAA Security Rule, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit also requests statutory damages under HIPAA, the HITECH Act and Minnesota state law, and reasonable attorneys’ fees. Finally, the complaint requests that the court order Accretive to disclose to affected patients “the data that [Accretive] has about them, where and how such data is stored, including but not limited to whether it has been sent overseas, and how such data is utilized.”

Read Attorney General Swanson’s announcement and the accompanying complaint.