A coalition of 33 state attorneys general has reached a settlement with the Puerto Rico-based healthcare clearinghouse Inmediata that resolves alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state consumer protection laws. The Inmediata settlement agreement requires the payment of a $1.4 million financial penalty and the adoption of a corrective action plan to improve data security.
The data breach in question was not due to a cyberattack but was caused by a coding error, which left the protected health information (PHI) of 1.56 million individuals exposed online for almost three years. The PHI maintained by Inmediata had been indexed by search engines and could be accessed by anyone with Internet access without authentication. The exposed data included patients’ names, addresses, dates of birth, gender, and medical claim information, and, for a subset of individuals, Social Security numbers.
Inmediata was alerted to the data breach on January 15, 2019, by the HHS’ Office for Civil Rights, but did not issue notification letters to the affected individuals until April 24, 2019, more than a month more than the maximum time permitted by the HIPAA Breach Notification Rule. To make matters worse, errors were made in mailing the notification letters which resulted in letters for some of the victims being sent to other individuals.
The multistate investigation also found the content of the letters to be insufficient. Healthcare clearinghouses perform data-related services for healthcare providers and health plans and many individuals are not aware of their function or why they have access to their protected health information. The breach notification letters failed to adequately explain why Inmediata had their data, which left many victims of the breach confused. Some individuals who were notified about the breach dismissed the notification letters as fraudulent.
The multistate action alleged violations of state consumer protection laws, breach notification laws by failing to issue timely breach notifications containing sufficient content, and HIPAA by failing to implement reasonable data security measures, including a failure to conduct a secure code review at any point prior to the breach. The corrective action plan requires Inmediata to implement a comprehensive information security program, which must include code reviews and crawling controls. An incident response plan must also be developed, implemented, and maintained and must include specific policies and procedures regarding consumer notification letters. Inmediata must also undergo independent third-party security assessments for five years.
Victims of the data breach also took legal action against Inmediata for exposing their sensitive information and failing to implement reasonable and appropriate cybersecurity measures. In early 2022, Inmediata settled the lawsuit and agreed to a $1.125 million settlement, which includes credit monitoring services for victims.
The investigation was led by the Indiana attorney general, assisted by an Executive Committee consisting of the Connecticut, Michigan, and Tennessee attorneys general. Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin also participated.