DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Inmediata settles multi-state litigation for $1.14 million; will improve data security and breach notification practices

Posted on October 18, 2023 by Dissent

Indiana Attorney General Rokita led a coalition of 33 attorneys general in a multi-state investigation and litigation against health care clearinghouse Imnediata stemming from a breach disclosed in 2019.

Background

In January 2019, HHS OCR alerted Inmediata that protected health information (PHI) maintained by Inmediata was available online and had been indexed by search engines.

In April, 2019, Inmediata first issued a press release about the incident. The dozens of comments on DataBreaches responding to their press release included reports that people were getting notification letters with other people’s names on them, suggesting that Inmediata really did a poor job of breach notification and may have had HIPAA privacy breach in the process of notifying people of the data security breach. The information potentially involved in the original incident may have included patients’ names, addresses, dates of birth, gender, and medical claim information. “A very small group of the potentially impacted people may have Social Security numbers involved as well,” they wrote.

In May, the Michigan Attorney General opened an investigation and Inmediata reported the incident to HHS as impacting 1,565,338 patients.  A check of HHS’s breach tool today reveals that there was no closing entry for the incident in HHS’s archive. Whether that means the incident is still under investigation by HHS or they just never opened an investigation is unknown to DataBreaches.

In February 2022, a potential class action lawsuit against Inmediata was settled for $1.13 million and no admission of guilt.

State Attorneys General Settlement

Under the settlement with 33 state attorneys general, Inmediata agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states and to improve its security.  Indiana led the multistate investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.

As Indiana Attorney General Rokita explains, “This settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security. This includes failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Indiana’s settlement.

Related posts:

  • Inmediata Health Group notifies covered entities’ patients after exposure of PHI on web
  • HHS OCR settles charges that Inmediata Health Group exposed 1.6 million patients’ PHI online
  • Inmediata Data Breach $1.1M Class Action Settlement
  • Michigan investigating the Inmediata breach
Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataHIPAALegislationOf NoteState/LocalU.S.

Post navigation

← CISA Advisory: Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.