Getty Images

Inmediata Health Resolves Multi-State Data Breach Investigation With $1.4M Settlement

More than 30 state attorneys general joined forces to investigate potential HIPAA violations connected to a data breach that spanned nearly three years and impacted 1.5 million individuals.

Puerto Rico-based healthcare clearinghouse Inmediata Health agreed to a $1.4 million settlement to resolve a multi-state data breach investigation backed by 33 state attorneys general. Inmediata previously reached a $1.13 settlement to resolve a class-action lawsuit related to the same breach.

In January 2019, HHS alerted Inmediata that some protected health information (PHI) maintained by the company was available online and had been indexed by search engines. The misconfigured web settings may have allowed internet users to freely view and download sensitive patient information.

Despite learning of the breach in January, Inmediata did not notify the 1.5 million impacted consumers until three months later, in April 2019. What’s more, some of the delayed notification letters were improperly addressed, and were lacking details and context about the breach that left consumers confused.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients,” said Connecticut Attorney General William Tong.

“Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine, and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again.”

In addition to the hefty fine, Inmediata will be required to implement a comprehensive information security program that includes code reviews and crawling controls and improve its overall data security and breach notification practices.

Inmediata must also develop an incident response plan that includes specific provisions about consumer notification letters, as well as conduct annual third-party security assessments for the next five years.

Each state involved in the investigation will receive varying amounts of the settlement fund. In addition, the class-action settlement resolved in 2022 may provide additional relief for breach victims. The class-action settlement fund covered administrative expenses, approved claims to class members, and the cost of Kroll’s Web Watcher Services for enrolled class members.

What sets the multi-state investigation apart is its addition of corrective actions to ensure that Inmediata takes actions to improve its security program and prevent breaches going forward.

Next Steps

Dig Deeper on HIPAA compliance and regulation