July theft of computer with Fairview patient data wasn't the first, Minnesota AG says

In June 2010, another employee at Accretive-a Chicago-based consultant hired by the Fairview health system to work on billing issues-reported that his laptop had been stolen from a locked car parked outside a restaurant in Roseville.

In the Roseville case, the laptop was encrypted and the computer was rendered inoperable about two hours after the theft, according to documents released this week by state Attorney General Lori Swanson. So it wasn't considered a security breach that put patient records at risk.

But lightning struck again in late July 2011, when another Accretive Health employee's laptop was reported stolen from a locked car in Minneapolis. In the second case, the laptop wasn't encrypted and the Fairview and North Memorial health systems wound up having to notify thousands of patients about the risk to their personal health information.

The sequence of events is part of the reason Sen. Al Franken, D-Minn., turned up the heat on Accretive Health on Friday, April 27, with a letter to the company's CEO demanding answers to a series of questions.

"The report states that Accretive employees lost six laptops to theft in three separate incidents," Franken's letter states. "Is this accurate?"

Fairview and Accretive officials have said there's no evidence that any patient has been harmed by the laptop theft in Minneapolis. But they have not previously disclosed details about the June 2010 theft or the possibility that there might be a pattern of lost laptops.

An internal document released this week by Swanson, in fact, suggests that Fairview was in the dark about the Roseville incident for a long time, too.

"It is disturbing to learn that there was a stolen laptop that we did not know about," wrote Lois Dahl, the information privacy director at Fairview, in a Nov. 18 email to an Accretive Health official.

"With the more recent incident, perhaps it could have been prevented if the employees would not leave them in sight in their cars," Dahl wrote. "Was there any communication to staff about this incident and the need to keep devices secure?"

Fairview learned of the Roseville theft through a series of anonymous tips from employees "who questioned the wisdom of providing confidential medical data to Accretive when it did not bother to secure the data," Swanson's report states.

The revelation apparently contributed to deterioration in the relationship between Fairview and Accretive.

"Accretive Health's treatment of laptop theft was fundamentally different than Fairview's values," states an internal Fairview document from November. "Fairview would have immediately terminated the employee."

A spokeswoman for Accretive Health did not respond to questions about the incident.

Ryan Davenport, a Fairview spokesman, confirmed Friday that the health system did not learn of the Roseville theft until much later. The laptop contained Fairview patient data, Davenport said, but he said patient privacy was not at risk.

"The laptop was secured through encryption and it was password protected," he said. "This meets (federal) standards for securing health information and does not meet the criteria for disclosure to (the government) or to patients."

Accretive Health employees operate mostly with laptop computers, Swanson's report states. It cites a February 2011 company document that says four company laptops by that point had been "smashed and grabbed" out of cars.

During the theft in Minneapolis, an Accretive Health employee left his laptop in plain view of a thief who broke into the car and stole the computer, the report states. The laptop contained confidential data on about 23,000 patients of Fairview, North Memorial Health Care, as well as data from a hospital in Detroit.

In October, an Accretive Health executive followed up on the incident with a memo detailing some security tips. When traveling, laptops should always be in sight and under your control, the executive wrote in a document released by Swanson.

"If you can't take your laptop with you," the memo states, "leave it out-of-sight in the trunk of your car."

Swanson's report concluded that Accretive couldn't be trusted to maintain the privacy of patient health information.

"Even though patients of Fairview are assured that their health records will be protected from dissemination to third parties, Fairview has broadly shared patient data with Accretive," Swanson's report concludes. "Accretive has used protected patient health information to collect debts from patients; indeed, its debt collectors use the data to build credibility with patients."