Vitalii Gulenok/istock via Getty
OCR settles with Inmediata Health over HIPAA violations
Inmediata Health paid $250K to OCR to settle potential HIPAA violations relating to a breach in which PHI was made publicly available online.
The HHS Office for Civil Rights reached a settlement with Inmediata Health Group, a healthcare clearinghouse, over a data breach reported in 2019 that affected nearly 1.6 million individuals. Under the settlement, Inmediata paid OCR $250,000. The company will not undergo corrective actions with OCR since a previous $1.4 million multistate settlement already required Inmediata to improve its security program, OCR said.
OCR learned about the breach via a 2018 complaint regarding unsecured protected health information (PHI) that was publicly available to search engines, such as Google. Further investigation determined that the PHI of nearly 1.6 million individuals was made available online due to misconfigured web settings.
The PHI involved in the breach included patient names, addresses, diagnoses, claims information and Social Security numbers.
OCR's investigation revealed multiple potential HIPAA Security Rule violations, including failure to conduct a risk analysis to determine vulnerabilities to PHI. According to OCR, Inmediata also failed to monitor and review the activity of its health information systems.
"Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection," said OCR Director Melanie Fontes Rainer.
"Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information."
OCR encouraged all healthcare providers, health plans, clearinghouses and business associates to review vendor relationships, conduct risk analyses, encrypt PHI and take other steps to ensure HIPAA compliance.
Aside from the OCR settlement, Inmediata settled a class-action lawsuit related to the same breach in February 2022, requiring it to pay $1.13 million to class members.
Separately, in October 2023, more than 30 state attorneys general backed a $1.4 million settlement with Inmediata.
The multistate settlement required Inmediata to implement a comprehensive information security program that includes an incident response plan, annual third-party security assessments and code reviews, and crawling controls to further mitigate risk.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
Dig Deeper on HIPAA compliance and regulation
-
![]()
HHS settles 2 investigations under HIPAA Security Rule
By: Jill McKeon
-
![]()
OCR Reaches $4.75M Settlement With NY Health System
By: Jill McKeon
-
![]()
HHS Settles First Phishing Attack Investigation With Louisiana Medical Group
By: Jill McKeon
-
![]()
Inmediata Health Resolves Multi-State Data Breach Investigation With $1.4M Settlement
By: Jill McKeon
