DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Inmediata settles multi-state litigation for $1.14 million; will improve data security and breach notification practices

Posted on October 18, 2023 by Dissent

Indiana Attorney General Rokita led a coalition of 33 attorneys general in a multi-state investigation and litigation against health care clearinghouse Imnediata stemming from a breach disclosed in 2019.

Background

In January 2019, HHS OCR alerted Inmediata that protected health information (PHI) maintained by Inmediata was available online and had been indexed by search engines.

In April, 2019, Inmediata first issued a press release about the incident. The dozens of comments on DataBreaches responding to their press release included reports that people were getting notification letters with other people’s names on them, suggesting that Inmediata really did a poor job of breach notification and may have had HIPAA privacy breach in the process of notifying people of the data security breach. The information potentially involved in the original incident may have included patients’ names, addresses, dates of birth, gender, and medical claim information. “A very small group of the potentially impacted people may have Social Security numbers involved as well,” they wrote.

In May, the Michigan Attorney General opened an investigation and Inmediata reported the incident to HHS as impacting 1,565,338 patients.  A check of HHS’s breach tool today reveals that there was no closing entry for the incident in HHS’s archive. Whether that means the incident is still under investigation by HHS or they just never opened an investigation is unknown to DataBreaches.

In February 2022, a potential class action lawsuit against Inmediata was settled for $1.13 million and no admission of guilt.

State Attorneys General Settlement

Under the settlement with 33 state attorneys general, Inmediata agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states and to improve its security.  Indiana led the multistate investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.

As Indiana Attorney General Rokita explains, “This settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security. This includes failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Indiana’s settlement.


Related:

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataHIPAALegislationOf NoteState/LocalU.S.

Post navigation

← CISA Advisory: Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.