AG sues health care service firm for alleged patient privacy violations
Personal health data on thousands of Minnesota patients was shared with a debt collection company that shouldn't have access to such information, Attorney General Lori Swanson said Thursday.
Swanson filed a lawsuit against the company, Chicago-based Accretive Health, alleging that it failed to protect patient health care records and failed to disclose to patients how their records are used.
The lawsuit stems from the theft last year in Minneapolis of a laptop belonging to an Accretive Health employee. The laptop contained unencrypted health data of about 23,500 Fairview Health Services and North Memorial Health Care patients.
Swanson said a Fairview patient's inquiry into what information was compromised revealed that Accretive had information including names, birth dates and Social Security numbers, as well as a patient's chronic conditions and how they were responding to treatment.
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
Swanson said the failure to protect such data was enough to file suit against the company for alleged violations to federal and state health privacy and consumer protection laws. But Swanson also said Accretive shouldn't have had access to such sensitive health information in the first place.
It's information "that should be between a patient and their doctor, not a patient and a debt collector," Swanson said.
Accretive worked for both North Memorial and Fairview as a debt collector, and is licensed in Minnesota as a debt collector, Swanson said. Fairview's relationship with Accretive went further, she said, in a contract that allowed Accretive to help negotiate contracts with insurance companies. Under the arrangement, Fairview would receive incentive pay to cut patient costs, and some of that incentive pay was shared with Accretive, she said.
Swanson said the hospitals provided the patient health information to Accretive, but neither is named in the lawsuit. The attorney general said she plans to "follow up" with the hospitals later.
A spokesman for Fairview Health Services said the hospital hasn't yet reviewed the lawsuit, which was filed in federal court. In a written statement, Fairview said it is "redoubling" efforts to safeguard patient health information and is working to ensure its partners and vendors are doing the same. "We remain committed to our goal of improving patient outcomes, improving the patient experience and lowering the cost of care," the statement read. "We anticipate further communication with the attorney general's office as this matter goes forward."
North Memorial CEO Larry Taylor said the information on the stolen laptop did not contain Social Security numbers, credit card numbers, bank account numbers, health plan policy numbers or home addresses of North Memorial patients. He also pointed out, as Swanson acknowledged, that there's no evidence that any of the stolen information on the laptop has been accessed or misused.
"I want to assure patients who use North Memorial for their care that their privacy is always a priority and that we have systems in place to protect and secure all patient health information," Taylor said in a written statement.
Accretive Health said it will work with the state to resolve the matter.
"We have already enhanced our security procedures to ensure that all patient information is fully protected and secure," spokeswoman Francesca Luthi said.
Through an investigation into the stolen laptop incident, the attorney general's office was able to see what type of information Accretive Health was collecting and how they were using it, she said.
Based on information about whether a patient suffered from any of 22 different chronic medical conditions and information about how that patient was doing with treatment, Accretive numerically scored patients' risk of hospitalization, Swanson said. The company also graded their "frailty" and compiled per-patient profit and loss reports, the lawsuit, alleges.
Accretive Health, which is part of a New York private equity fund, told Wall Street investors what it was doing with such data and how it was collecting incentive pay, but the patients were never told how their information was being used, Swanson said.
"The debt collector found a way to essentially monetize portions of the revenue and health care delivery systems of some nonprofit hospitals for Wall Street investors, without the knowledge or consent of patients," she said.
Swanson said Fairview paid Accretive Health more than $75 million the first three quarters of 2011, based on the company's financial figures.
"Patients here in Minnesota have no idea who Accretive is, let alone the extensive and significant role it's playing in their health care," Swanson said. "No corporation, especially a debt collector, should secretly slice and dice patients' medical statistics without full transparency, full disclosure to the patients who are the subjects to the ranking, scoring, indexing and pricing."
It isn't clear how common it is for a hospital to outsource its debt collection activities to a third party. Allina Hospitals and Clinics does its own debt collection, so no third party is involved, spokesman David Kanihan said.
Essentia Health, which has dozens of hospitals and clinics in greater Minnesota, said it uses a third party debt collector in certain circumstances. But spokeswoman Kim Kaiser said the health system does not share any medical information with the debt collector.
Peter Barry, a Minneapolis attorney who specializes in lawsuits against debt collection companies, said he's familiar with several instances of health care providers sharing detailed health information with a third-party debt collector. He said those debt collectors are likely to misuse the information.
"A debt collector only wants one thing: a payment," Barry said. "Health care information is private between a patient and their medical provider. No hospital, Fairview or otherwise, should be giving that information about any consumer to a debt collector."
Barry called Fairview's alleged actions "reckless," saying numerous federal and state laws prohibit the transmission of sensitive health information without a patient's consent.
The attorney general's lawsuit seeks to stop Accretive Health from certain data collection. She said the company's debt collection license is regulated by the state Department of Commerce.
The Department of Commerce said its procedures are to conduct an investigation if a licensee is suspected of wrongdoing. A company would have the opportunity to defend itself at an administrative hearing before a license could be revoked, officials said.