The U.S. Federal Trade Commission (FTC) recently announced that Accretive Health has agreed to settle charges that its inadequate security messages put sensitive customer data at risk (h/t Becker's Hospital Review).
In July of 2011, an Accretive laptop, containing 20 million pieces of data on 23,000 patients, was stolen from an employee's car.
According to the FTC, Accretive created unnecessary risks by transporting laptops that contained sensitive data in a way that left them vulnerable to theft, and failed to put reasonable procedures in place to ensure that employees removed personal data that they no longer needed from their computers. The FTC also alleged that Accretive failed to adequately restrict employee access to consumers' personal information.
Under the terms of the settlement, Accretive will be required to establish a comprehensive information security program designed to protect consumers' sensitive personal information, and must have the program evaluated every other year for the next 20 years by a certified third party.