Inmediata, a Puerto Rico-based healthcare clearinghouse, was part of a HIPAA investigation beginning in 2019. Now, after facing a multi-state lawsuit, the company has decided to settle the case.
What happened
In January 2019, Inmediata was notified that protected health information (PHI) had been exposed online due to a technical problem on their website. The exposed information included health plans, addresses, dates of birth, and, for some patients, their Social Security number.
Due to the website error, data of over 1.5 million individuals was made available online without the need for authentication from employees. Patient information could be found through simple Google searches.
Once the leak was discovered, an investigation was immediately opened to see if unauthorized persons were able to access patient PHI. While nothing was uncovered, it's possible that information was exposed online.
Inmediata sent out breach notification letters in April, but unfortunately, many individuals received letters addressed to other individuals. This resulted in further disclosures of PHI.
Last year, Inmediata settled a class action lawsuit for $1.125 million.
What's new
Since the incident, Inmediata has undergone a multi-state investigation for potential HIPAA and state breach notification law violations.
The investigation was led by the Indiana Attorney General, Todd Rokita, alongside 32 other Attorney Generals from various states, who alleged that Inmediata failed to implement reasonable and appropriate data security. The lawsuit also claims that Inmediata failed to notify patients in a timely manner, and when they did notify individuals, the company further exposed data.
The $1.4 million settlement will be divided among the participating states. As part of the settlement, Inmediata also agreed to strengthen its data security practices and breach protocol. They must secure their website code and frequently check search engines for impermissible data exposure. For the next five years, Inmediata's security will also be reviewed by a third party.
What was said
In a press release from Connecticut's Attorney General William Tong, Tong said, "Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure…Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements."
Delaware Attorney General Kathy Jennings said the settlement underscored their commitment to protecting citizens and "holding companies accountable for breaches of customer data and vulnerabilities in their services."
The bottom line
Ultimately, Inmediata's incident cost the company over $2 million in lawsuits alone, as well as any costs associated with implementing better security and breach notification policies.
Organizations must be diligent in their security measures and constantly review current policies and procedures to better prepare for accidental leaks or malicious attacks. No matter how data exposure occurs, companies may find themselves under fire if they fail to protect patient data adequately.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
