Breach Notification
,
Governance & Risk Management
,
Healthcare
Inmediata Health Group Has Paid $2.7M in Fines, Civil Claims for 2019 HIPAA Breach
A breach that exposed the personal health information of nearly 1.6 million patients of a Puerto Rico-based clearinghouse has led to a $250,000 financial settlement with federal regulations for multiple HIPAA violations. The leak has so far cost Inmediata Health Group $2.7 million in fines and civil settlements.
See Also: Using the Netskope HIPAA Mapping Guide
Problems began for Inmediata Health Group in 2019 when the U.S. Department of Health and Human Services’ Office for Civil Rights received a complaint about PHI being left unsecured on the internet to search engines such as Google.
“Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS and affected individuals,” HHS OCR said in a statement.
The Inmediata Health Group data breach was also the subject of a $1.4 million settlement last year with 33 state attorneys general and a $1.1 million civil settlement in 2023 of proposed federal class action litigation against the company (see: 33 State AGs Settle 3 Health Data Breach Cases).
HHS OCR said its investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 people was publicly available online. The exposed PHI included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis, conditions and other treatment information.
“These impermissible disclosures of PHI were potential violations of the HIPAA Privacy Rule,” HHS OCR said. Additionally, HHS OCR’s investigation found several potential HIPAA Security Rule violations. Those included a failure to conduct a HIPAA security risk analysis to determine the potential risks and vulnerabilities to electronic PHI in its systems; and to monitor and review its health information systems’ activity.
Under its settlement last year with nearly three dozen state attorneys general, Intemediata was required to implement improvements to its data security practices that also addressed issues identified during HHS OCR’s investigation. Therefore, HHS OCR said it did not include corrective actions in the settlement, which the agency typically does of other HHS OCR HIPAA resolution agreements.
“Healthcare entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said Melanie Fontes Rainer, director of HHS OCR in the agency’s statement. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”
Inmediata in its 2019 a breach notification statement said the company became aware in January 2019 “that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations.” (see: Misconfigured IT (Again) Leads to Big Health Data Breach).
The statement said that immediately after Inmediata became aware of the situation, the company deactivated the website and engaged an independent digital forensics firm to assist with an investigation.
Inmediata did not immediately respond to Information Security Media Group’s request for comment on its settlement with HHS OCR.
Misconfigured IT systems and settings have been at the root of many major health data breaches over the years.
That includes a misconfigured web server resulting in the exposure of sensitive information for nearly 600,000 prison inmates in 2022 at medical claims processing company CorrectCare. The firm in October agreed to pay $6.49 million to settle a consolidated proposed class action lawsuit in the breach (see: 600,000 Prison Inmates to Share in $6.49M Breach Settlement).