Not long ago, it would have been absurd to imagine an employee of a large company leaving confidential health care records of 25,000 people in his rental car (at risk of being lost or stolen). But that is what happened in July of 2011 in Minneapolis’ Seven Corners neighborhood to Accretive Health, Inc. and the fallout for that company has not been pretty.
It appears that the rental car, unencrypted lap top included, was stolen and, as a result, (1) confidential health care records of nearly 25,000 people were vulnerable to access by whomever got the laptop (and still are? into perpetuity?), and (2) although there have actually been no reports of any unauthorized use or access to the data, the incident got the attention of Lori Swanson, Minnesota’s Attorney General because regulatory rules required the victimized company to report the data breach.
So, though the car thief appears not to have bothered with the laptop, the Minnesota AG’s office had a peak at the data and the AG was not at all pleased with what she saw. The AG was understandably displeased that unencrypted health care records were lost but also, from the data on the laptop, the Minnesota AG learned about and did not like how Accretive goes about its business of getting money from consumers of medical care for their consumption of medical care. (Debt collection, ML readers know, is a tough gig (FDCPA debt or not.))
If the Accretive system had been cloud-based — i.e., if the company had had a system where individual laptops functioned as portals to data stored elsewhere — the employee would have called in the loss of the lap top, it would have been “locked out” and “remotely wiped.” Maybe that would have been “end of story.” The unencrypted data itself was lost on the lap-top, however, and a very different scenario has been playing out.
The irony, of course, is that “the bad guys” who stole the lap-top and the data appear to have inflicted very little harm or damage on Accretive Health or literally no harm or damage on anyone else (which is part of the basis for Accretive’s recently filed motion to dismiss the AG’s complaint).
If health care company executives ever crunched and analyzed the cost, the risks, and the benefits of on-line cloud-computing solutions versus “local data storage,” one has to wonder if they might have neglected to include a cell in the spread-sheet for “Aggressive Regulator Exploits Company’s Data Breach Report To Access Business Model and Attempt to Eviscerate Company.”
This could be the kind of “black swan” or “unknown unknown” that can undermine even the most thorough and careful planning and risk management.