Accretive Health, the catalyst for HIPAA data breaches in last year’s Fairview and North Memorial hospitals in Minnesota, has asked a judge to dismiss a lawsuit brought by the Attorney General of Minnesota. The situation could have been avoided had Accretive used laptop encryption software such as AlertBoot, like they were supposed to.
I’ve covered the story before here which provides links to some other posts.
Accusation: AG is Trying to Win in Public Opinion Sphere, Not Court
Accretive has filed a motion to dismiss the case, accusing Lori Swanson — the Minnesota Attorney General — of making “factually baseless and legally indefensible” allegations (businessweek.com).
A spokesperson for the AG’s office noted that “the dismissal request is a ‘typical first step’ for a corporate defendant” and that “We’re very confident in the legal claims that are laid out in the complaint.”
Accretive, in what appears to be a strategy to diffuse concerns, has issued a press release. For those interested in the HIPAA aspect to the story, this is their argument (marketwatch.com):
The core of this case involves the criminal theft of a password-protected laptop. Under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act, a company cannot be held liable for the unforeseeable criminal act of a third party stealing a corporate laptop. Further, in the ten months since the laptop was stolen, there is no evidence (and the Attorney General does not even claim) that any patient data has been compromised. As a result, in the absence of any injury, the Attorney General lacks legal standing to pursue claims under HIPAA and the Minnesota Health Records Act as a matter of law.
AGs Have Power to Prosecute HIPAA Violations
State AGs have been given the power to enforce HIPAA (which the AGs put to use in the Health Net case). I’m pretty sure the AG’s argument is not based on the theft of laptops. Like the hhs.gov site notes:
The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. [my emphasis]
So, the question to ask here is not “was anyone harmed?” but “did Accretive violate HIPAA Privacy and Security Rules in any way?” Gee…a laptop with the information on nearly 17,000 Minnesota residents was stolen. Per Accretive’s own admission, the computer was not secured with encryption software when it should have been, and the laptop was stolen from the back seat of a rental car.
Does that sound like people’s PHI (protected health information) was secured properly? No? Would it be overreaching to conclude that it was a violation of HIPAA Privacy and Security rules? I mean, the rules do require proper protection of people’s health data, even if encryption is not required (but only if other security is present). An unencrypted laptop in the back seat of a car doesn’t quite meet the requirement.
More Instances of “PHI Breaches”
“PHI breaches” in quotations because, technically, it wasn’t a breach. According to twincities.com, Accretive had a similar situation in June 2010, when another employee had his laptop had been stolen from his car while parked outside a restaurant.
Sound familiar? It’s the same exact scenario that developed in 2011. There was a big difference, though: the 2010 laptop was encrypted.
While some point to this as a pattern, I’d disagree (not the least because two instances do not constitute a pattern). Sure, laptops were stolen from cars. But, the presence of encryption makes a world of difference.
If anything, the 2010 encryption would show that Accretive does not have a pattern of data breaches, even if they do have a pattern of losing laptops from parked cars. And, let’s face it, the latter is meaningless to all but the guy working in the procurement department. And whichever company is insuring these machines.
Stock Takes Nosedive
It just doesn’t look good for Accretive. That must be the reason why its stock took a hit: on April 24, the stock was averaging $19 per share or so; currently, it’s at around $9 per share. It’s probably also the reason why Accretive came with their guns blazing, noting how the AG’s charges against the company do not have any merit. Per my experience, companies that caused a massive breach tend to be humble about their data indiscretions.
And to think, all of this could have been avoided with the simple installation of laptop encryption software.
Related Articles and Sites: