Fairview Health Services was the first Minnesota hospital to drop Accretive’s services earlier this year, and Fairview is a 25 percent owner of Maple Grove. That leaves North Memorial Health Care as the remaining hospital customer in Minnesota.
Lots of rules around PII
In a previous life, I managed email campaigns. To write copy, compile email lists and schedule sends, I had to be trained on how to manage files containing PII — personally identifiable information. In addition to learning how to de-identify the data and how to manage the security of the files, I had to agree to a criminal background check in the last three states I had lived in.
This was all to manage files that contained at most 100,000 email addresses only — not even first/last name, snail mail address or phone number. Could the average laptop thief identify a person based on a single piece of information, such as firstname.lastname@example.org?
Patient data on the stolen Accretive laptops included names, addresses, Social Security numbers, health history, treatment history and scores to measure patients’ frailty, complexity and hospitalization likelihood.
Surely given all the data in the medical records that Accretive had, employees had to go through at least some training on how to manage and secure PII. A phone call and an email to Accretive asking about these policies were not immediately returned.
As few people were willing to comment on this latest development, I read the memorandum of law from the Minnesota Attorney General’s Office. Lots of interesting details that I hadn’t seen previously jumped out. All of the following information is from the AG doc:
Accretive told the U.S. Senate that nine company laptops were stolen in 2011 alone. The theft that started it all happened to Accretive Vice President Matthew Doyle. He left an unencrypted laptop computer containing PII about 23,531 Fairview and North Memorial patients in plain view in the backseat of a rental car in Minneapolis.
When the laptop was stolen last July, Doyle was working on the North Memorial account, but he still had massive amounts of data of two other hospitals, including Fairview, on whose behalf he had not worked for more than three months.
HIPAA says a contractor should only access the “minimum necessary” information on a “need-to-know basis.” Mr. Doyle contained patient data arising out of the Fairview QTCC healthcare delivery contract under which he never worked.
This is my favorite part of the document:
Mr. Doyle was a vice president of Accretive. If a top company official can access patient data he didn’t need, load his laptop with immense amounts of patient data he didn’t need, keep the data on his laptop months after he had any hint of pretense for needing it, and take the data out of the hospital facilities and throw it in the backseat of a rental car — then Accretive clearly didn’t properly train its employees.
Collections strategy is stronger than security policies
In reading the patient accounts in the memorandum of law from the Minnesota AG, the visits from the “financial counselors” seem carefully timed to occur:
- On the day of a surgery (Bill Karsko, Daniel Ritter, Amy Morris)
- After a patient is in a gown and hooked up to IVs (Ann Johnson, Bruce Folken, Carol Wall)
- With the patient alone with no friends or family members present (Tom Fuller, Janet Legler)
- When the patient is in great pain (Jack Wiebke, Sarah Beckman, Don Williams)
A company that can carefully design its payment requests for maximum ROI should be able to get employees to lock laptops in the trunk before going out to eat.
For its part, Accretive says it is not a debt collector focused on patients, but instead works with hospitals to secure money owed by insurance companies. The company also says that it helps uninsured patients obtain third-party health coverage from Medicaid, COBRA, or charity assistance, and that since 2003, has helped more than 250,000 uninsured patients find coverage.
[Image from flickr user purpleslog]