Following a public comment period, the Federal Trade Commission has approved a final consent order settling charges that a company providing medical billing and revenue management services to hospitals in multiple states unfairly exposed sensitive consumer information to the risk of theft or misuse because of its inadequate data security measures.
The FTC alleged that the Chicago-based company violated the Federal Trade Commission Act. The settlement was first announced in December 2013. It will be in force for the next 20 years, and it requires Accretive to establish a comprehensive information security program designed to protect consumers’ sensitive personal health information. Accretive must also have its security program evaluated initially, and every two years thereafter, by a certified third party.
The Commission vote to approve the final order in this case was 4-0. (FTC File No. 122 3077; the staff contact is David Lincicum, Bureau of Consumer Protection, 202-326- 2773; see press release dated December 31, 2013.)
Other FTC case files on this matter can be found here. I do not see where there was any public feedback or comments on the proposed settlement, but will check into that. (Update: FTC confirmed they received no comments or public feedback).
Previous coverage of this case on PHIprivacy.net, including Minnesota state action, can be found linked from here.