Hospitals

Data security faults outweigh debt-collecting skills as Accretive loses second hospital

Accretive Health  lost another customer late last week: Maple Grove Hospital has terminated its contract […]

Accretive Health  lost another customer late last week: Maple Grove Hospital has terminated its contract with the debt collector.

Fairview Health Services was the first Minnesota hospital to drop Accretive’s services earlier this year, and Fairview is a 25 percent owner of Maple Grove. That leaves North Memorial Health Care as the remaining hospital customer in Minnesota.

Lots of rules around PII

In a previous life, I managed email campaigns. To write copy, compile email lists and schedule sends, I had to be trained on how to manage files containing PII — personally identifiable information. In addition to learning how to de-identify the data and how to manage the security of the files, I had to agree to a criminal background check in the last three states I had lived in.

This was all to manage files that contained at most 100,000 email addresses only — not even first/last name, snail mail address or phone number. Could the average laptop thief identify a person based on a single piece of information, such as darkangel756@hotmail.com?

Patient data on the stolen Accretive laptops included names, addresses, Social Security numbers, health history, treatment history and scores to measure patients’ frailty, complexity and hospitalization likelihood.

Surely given all the data in the medical records that Accretive had, employees had to go through at least some training on how to manage and secure PII. A phone call and an email to Accretive asking about these policies were not immediately returned.

As few people were willing to comment on this latest development, I read the memorandum of law from the Minnesota Attorney General’s Office. Lots of interesting details that I hadn’t seen previously jumped out. All of the following information is from the AG doc:

Accretive told the U.S. Senate that nine company laptops were stolen in 2011 alone. The theft that started it all happened to Accretive Vice President Matthew Doyle. He left an unencrypted laptop computer containing PII about 23,531 Fairview and North Memorial patients in plain view in the backseat of a rental car in Minneapolis.

When the laptop was stolen last July, Doyle was working on the North Memorial account, but he still had massive amounts of data of two other hospitals, including Fairview, on whose behalf he had not worked for more than three months.

HIPAA says a contractor should only access the “minimum necessary” information on a “need-to-know basis.” Mr. Doyle contained patient data arising out of the Fairview QTCC healthcare delivery contract under which he never worked.

This is my favorite part of the document:

Mr. Doyle was a vice president of Accretive. If a top company official can access patient data he didn’t need, load his laptop with immense amounts of patient data he didn’t need, keep the data on his laptop months after he had any hint of pretense for needing it, and take the data out of the hospital facilities and throw it in the backseat of a rental car — then Accretive clearly didn’t properly train its employees.

Collections strategy is stronger than security policies

In reading the patient accounts in the memorandum of law from the Minnesota AG, the visits from the “financial counselors” seem carefully timed to occur:

  • On the day of a surgery (Bill Karsko, Daniel Ritter, Amy Morris)
  • After a patient is in a gown and hooked up to IVs (Ann Johnson, Bruce Folken, Carol Wall)
  • With the patient alone with no friends or family members present (Tom Fuller, Janet Legler)
  • When the patient is in great pain (Jack Wiebke, Sarah Beckman, Don Williams)

A company that can carefully design its payment requests for maximum ROI should be able to get employees to lock laptops in the trunk before going out to eat.

For its part, Accretive says it is not a debt collector focused on patients, but instead works with hospitals to secure money owed by insurance companies. The company also says that it helps uninsured patients obtain third-party health coverage from Medicaid, COBRA, or charity assistance, and that since 2003, has helped more than 250,000 uninsured patients find coverage.

Read the company’s statements to a recent Senate committee hearing here. Listen to CEO Mary Tolan talk about the company’s clients here.

[Image from flickr user purpleslog]

Veronica Combs

Veronica is an independent journalist and communications strategist. For more than 10 years, she has covered health and healthcare with a focus on innovation and patient engagement. Most recently she managed strategic partnerships and communications for AIR Louisville, a digital health project focused on asthma. The team recruited 7 employer partners, enrolled 1,100 participants and collected more than 250,000 data points about rescue inhaler use. Veronica has worked for startups for almost 20 years doing everything from launching blogs, newsletters and patient communities to recruiting speakers, moderating panel conversations and developing new products. You can reach her on Twitter @vmcombs.

Shares0
Shares0