For Immediate Release:
Thursday, October 19, 2023
Nazneen Ahmed (919) 716-0060
(RALEIGH) Attorney General Josh Stein today announced a $1.4 million bipartisan multistate settlement with health care clearinghouse Inmediata for exposing the protected health information (PHI) of approximately 1.5 million consumers over almost three years. Inmediata will also overhaul its data security and breach notification practices and make a $1.4 million payment to states. North Carolina will receive $27,870 from the settlement to help protect consumers in the state.
“We want to prevent data breaches from happening, but when they happen, we need to know immediately so we can take steps to protect ourselves,” said Attorney General Josh Stein. “This company mishandled its response to a data breach while people’s sensitive health information was on the internet for easy access. That’s unacceptable.”
As a health care clearinghouse, Inmediata facilitates transactions between health care providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI it maintained was available online and had been indexed by search engines. As a result, people could view and download sensitive patient information.
Inmediata delayed notifying impacted consumers for more than three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that they had no idea why Inmediata had their data and they thought the notices might have been fraudulent.
Today’s settlement resolves allegations that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements including code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.
Attorney General Stein is joined in this settlement by the Attorneys General of Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia, and Wisconsin.