Fairview and North Memorial Hospitals, Accretive

The July 25 theft of a laptop resulted in the exposure of patient information.  It was stolen from a rental car parked in the parking lot of a Minneapolis restaurant.  The laptop was in the possession of an employee of the contractor Accretive.  It contained the names, addresses, dates of birth, medical information, and Social Security numbers of patients.  A total of 14,000 Fairview patients were affected.  Approximately 2,800 North Memorial patients were affected, but did not have their Social Security numbers exposed.UPDATE (1/20/2012): A lawsuit was filed against Accretive Health, Inc. as a result of the breach. Approximately 23,500 patients in Minnesota were affected by the breach.  The Minnesota Attorney General claims that Accretive failed to protect patient health care records and failed to disclose its extensive involvement in patient health care.  According to the Minnesota Attorney General, Accretive gained access to sensitive patient data through contracts with the two hospitals and numerically scored patients' risk of hospitalization and medical complexity, graded their "frailty," compiled per-patient profit and loss reports, and identified patients deemed to be "outliers." The physical and mental health information included a checklist of 22 different chronic medical conditions that patients did or did not have.  This was without the knowledge or consent of patients and the Attorney General argues that patients had the right to know how their information was being used and to have it kept confidential.Accretive tells investors that its contracts with hospitals include risk scoring patients, reducing avoidable hospital admissions, identifying the sickest and most impact-able patients for proactive management, and identifying real-time interventions with significant revenue or cost impact. The lawsuit alleges that Accretive violated state and federal health privacy laws, state debt collection laws, and state consumer protection laws.  It seeks an order requiring Accretive to fully disclose to patients: 1) what information it has about Minnesota patients; 2) what information it has lost about Minnesota patients; 3) where and to whom it has sent information about Minnesota patients; and 4) the purposes for which it amasses and uses information about Minnesota patients. In addition, the lawsuit asks Accretive to disclose whether it has sent health data about Minnesota patients to an offshore site in new Delhi, India and requests that restrictions be applied to how Accretive treats and uses patient data.The press release from the Office of Minnesota Attorney General Lori Swanson can be found here.UPDATE (08/24/2012): A settlement agreement with Accretive Health was announced at the end of July.  The settlement requires Accretive to stop doing business in Minnesota for two years and to pay approximately $2.5 million to the State of Minnesota, a portion of which will be used to compensate patients.