Medical Debt Collection Company R1 RCM (Formerly Accretive Health Inc.) Data Breach Potentially Exposes Tens of Millions of Patients’ Sensitive Records

Identity theft is a multi-billion dollar problem.  Although many companies have responded to this threat appropriately, some continue to risk theft of the sensitive personal and medical information entrusted to them by consumers and patients.  Unfortunately, it appears that the major medical debt collection company R1 RCM Inc. (formerly Accretive Health Inc.) failed to protect the highly sensitive information of tens of millions of individuals nationwide.

According to cybersecurity journalist Brian Krebs, Chicago-based R1 RCM – which has over 19,000 employees and contracts with at least 750 healthcare organizations nationwide – “acknowledged taking down its systems in response to a ransomware attack.”  While the scope of the data exposed revealed remains unknown, the breached information may include sensitive personal, financial, and medical information such as names, dates of birth, Social Security numbers, billing information, and medical diagnostic data belonging to tens of millions of patients.

Unfortunately, this is not the first time that R1 RCM failed to protect patient data.  According to the Federal Trade Commission (FTC), R1 RCM’s predecessor Accretive Health’s “inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse.”  Accretive Health’s inadequate data security safeguards led to an incident in July 2011 that exposed sensitive data belonging to approximately 23,000 patients.  Accretive Health ultimately settled the charges with the FTC in December 2013.

Cybercriminal use personal information with the primary incentive of using that private data to commit identity theft and financial fraud.  Identity theft wreaks havoc on consumers’ finances, credit history, and reputation and can take time, money, and patience to resolve.  Identity thieves use stolen personal information for a variety of crimes, including credit card fraud, phone or utilities fraud, banking or finance fraud, government fraud, and medical identity theft.  Moreover, a person whose personal information has been compromised may not see the full extent of identity theft or fraud for years.

Disclosure of personal information and medical information is unlawful, and the attorneys at Finkelstein, Blankinship, Frei-Pearson & Garber, LLP have successfully brought lawsuits on behalf of victims of similar data breaches.  If your physician group, hospital, or healthcare system is serviced by the medical debt collection company R1 RCM, your information may have been exposed.  If you believe that your sensitive information may have been compromised, please contact FBFG to explore your rights.