Health Data Clearinghouse Settles Multi-State Litigation

Multi-state litigation over a data breach that happened in January 2019 but wasn’t reported for three months, and then in only a limited and chaotic fashion, has been settled for $1.14 million. Inmediata, a healthcare information clearinghouse based in Puerto Rico, was alerted about the breach by the Department of Health and Human Services when it discovered that patients’ protected health Information, which was maintained by the company, was available online, and had been indexed by search engines.

As Reported in DataBreaches, after Inmediata issued its press release about the incident, the online journal (which titled itself “The Office of Data Insecurity”) received dozens of comments, including reports that people got notification letters with other people’s names on them. That alone virtually proved that the company violated the Health Insurance Portability and Accountability Act’s privacy rule in the course of its tardy notification.

The information involved in the data breach may have included patients’ names, addresses, dates of birth, gender, and medical claim information. “A very small group of the potentially impacted people may have Social Security numbers involved as well,” the company wrote.

After the Michigan Attorney General opened an investigation, Inmediata reported that the incident had affected 1,565,338 patients. It is unknown at this time whether HHS is still investigating. According to the recently announced settlement with 33 state attorneys general, Inmediata agreed to overhaul its data security and breach notification practices, make a $1.4 million payment to states, and improve its security.

Indiana Attorney General Todd Rokita, who led the investigation, says the settlement resolves allegations that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security.