The Federal Trade Commission recently settled charges related to a company's inadequate protection of sensitive consumer information, based largely on the theft of an employee's laptop computer, containing 20 million pieces of information on 23,000 patients, from the passenger compartment of the employee's car.
FTC alleged that the company's inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse, which the FTC alleged was an "unfair act or practice" in violation of Section 5(a) of the FTC Act, 15 U.S.C. 45(a).
Referencing the federal Fair Debt Collection Practices Act, but declining to recommend an FDCPA lawsuit "at this time," the FTC also stated that the practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility "raises serious concerns."
A copy of the complaint is available at:
http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthcmpt.pdf
The FTC's complaint against the company alleged that the company failed to provide reasonable and proper security measures and procedures to protect consumers' personal information, including sensitive personal health data. The company had access to a wealth of personal information about its hospital clients' patients, including names, dates of birth, Social Security numbers, billing information, and medical diagnostic information.
The FTC's Complaint further alleged that the company's failure to adequately safeguard its sensitive information led to a July 2011 security breach where an employee's laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee's car. The FTC alleged that the company created needless risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft.
The FTC's Complaint also alleged that the company failed to employ acceptable procedures to ensure that employees removed consumers' personal information that they no longer required from their computers. The FTC's Complaint further alleged that in certain instances, when the company used the personal health information of consumers in training sessions for employees, it failed to remove that information from employees' computers after the completing the training. In addition, the FTC alleged that the company failed to adequately restrict employee access to consumers' personal information based on an employee's need for the sensitive information.
Pursuant to the settlement, the company must design and implement a comprehensive information security program to protect consumers' sensitive information. The security program must be evaluated by a certified third party upon implementation and every two years thereafter for the next twenty years.
The FTC also sent a letter to the company stating that it would not recommend an enforcement action related to allegations regarding the company's debt collection attempts from consumers that are hospitalized. The FTC declined to recommend a Fair Debt Collection Practices Act case against the company at this time, but expressed serious concern over the company's alleged practice of attempting to collect payment for prior debts from consumers while they are seeking treatment in an emergency room or other medical facility.
The Commission voted 4-0 to accept the consent agreement package containing the proposed consent order. The FTC will soon publish a description of the consent agreement in the Federal Register. The consent agreement will be subject to public comment through Thursday, Jan. 30, 2014, after which the FTC will decide whether to finalize the proposed consent order.
The FTC invited interested parties to submit written comments electronically or in paper form, as described in the press release:
Ralph T. Wutscher
McGinnis Wutscher Beiramee LLP
The Loop Center Building
105 W. Madison Street, 18th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751
Mobile: (312) 493-0874
Email: RWutscher@mwbllp.com
Admitted to practice law in Illinois
McGinnis Wutscher Beiramee LLP
CALIFORNIA | FLORIDA | ILLINOIS | INDIANA | WASHINGTON, D. C.
NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.
Our updates are available on the internet, in searchable format, at:
http://updates.mwbllp.com