Attorney General Tong Announces Emergency Settlement Between States and Health Care Clearinghouse Over Data Breach Affecting 1.5 Million Consumers
(Hartford, CT) — Attorney General William Tong today joined 32 other attorneys general in announcing a settlement with health care clearinghouse Inmediata over a coding problem that exposed protected health information (“PHI”) of approximately 1.5 million consumers for nearly three years . Under the settlement, Inmediata agreed to review its data security and breach notification practices and make a $1.4 million payment to the states. Connecticut will receive $60,154 from the settlement. Connecticut was part of a four-state executive committee that led the multistate investigation.
“Inmediata held some of our most sensitive and private health information and had an obligation to keep it secure. Their coding error left sensitive patient information exposed in public online searches for months, with no notice to affect patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multi-state settlement forces Inmediata to pay a significant fine and requires strong security practices to ensure these types of inexcusable security breaches never happen again.” said Attorney General Tong.
As a healthcare clearinghouse, Inmediata facilitates transactions between healthcare providers and insurers across the United States. On January 15, 2019, the US Department of Health and Human Services’ Office for Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information can be viewed through online searches and potentially retrieved by anyone with access to an Internet search engine.
Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notifying affected consumers for more than three months and sent notices to the wrong address. Furthermore, the notices were far from clear — many consumers complained that without enough detail or context, they had no idea why Inmediata had their data, which could have caused recipients to dismiss the notices as illegitimate.
Today’s settlement resolves allegations by state attorneys general that Inmediata violated state consumer protection laws, breach notification laws and HIPAA by failing to implement reasonable data security, including failing to conduct security code reviews at any time prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the violation, in accordance with the law.
Under the settlement, Inmediata agreed to strengthen its data security and breach notification practices going forward, including implementing a comprehensive information security program with specific security requirements that include code review and indexing controls, developing an incident response plan including specific policies and procedures regarding the letter consumer notifications and annual third-party safety assessments over five years.
Indiana led the multi-state investigation, assisted by an Executive Committee consisting of Connecticut, Michigan and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts , Minnesota, Mississippi , Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia and Wisconsin.
Assistant Attorneys General John Neumon and Laura Martella and Deputy Assistant Attorney General Michele Lucan, Chief of the Privacy Division assisted the Attorney General in this case.