Accretive Health, which had a HIPAA data breach in 2011, has announced a settlement with the Federal Trade Commission (FTC). It is noted at databreaches.net that Accretive also settled with the Minnesota Attorney General for $2.5 million in July of 2012. All of this because supposedly one (and only one) of their laptops was not protected with HIPAA compliant encryption.
Accretive’s settlement with the FTC is not surprising. After all, they were in the middle of a very high profile case. First, they were sued by the Minnesota AG. Then, they had their debt collection license revoked temporarily by the Commerce Department. Also, Senator Franken questioned the company because of the data breach as well as other problematic operations. As a consequence of that questioning, Franken may introduce an encryption requirement law at a federal or state level.
It was also revealed during Franken’s questioning that Accretive did use laptop encryption. Except for the one laptop that was stolen and caused the HIPAA breach. While improbable, it’s not impossible… and it’s proof that better attention must be given to the issue of laptop disk encryption.
The FTC settlement doesn’t come with a dollar figure. At least, not directly. Under the terms of the settlement, Accretive:
- Must establish a comprehensive information security program.
- The program must be evaluated every other year for the next 20 years.
- Essentially undergo an audit whenever it suits the FTC.
It’s not $2.5 million, but it’s still a steep price to pay for the loss of one laptop computer.