DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Inmediata settles multi-state litigation for $1.14 million; will improve data security and breach notification practices

Posted on October 18, 2023 by Dissent

Indiana Attorney General Rokita led a coalition of 33 attorneys general in a multi-state investigation and litigation against health care clearinghouse Imnediata stemming from a breach disclosed in 2019.

Background

In January 2019, HHS OCR alerted Inmediata that protected health information (PHI) maintained by Inmediata was available online and had been indexed by search engines.

In April, 2019, Inmediata first issued a press release about the incident. The dozens of comments on DataBreaches responding to their press release included reports that people were getting notification letters with other people’s names on them, suggesting that Inmediata really did a poor job of breach notification and may have had HIPAA privacy breach in the process of notifying people of the data security breach. The information potentially involved in the original incident may have included patients’ names, addresses, dates of birth, gender, and medical claim information. “A very small group of the potentially impacted people may have Social Security numbers involved as well,” they wrote.

In May, the Michigan Attorney General opened an investigation and Inmediata reported the incident to HHS as impacting 1,565,338 patients.  A check of HHS’s breach tool today reveals that there was no closing entry for the incident in HHS’s archive. Whether that means the incident is still under investigation by HHS or they just never opened an investigation is unknown to DataBreaches.

In February 2022, a potential class action lawsuit against Inmediata was settled for $1.13 million and no admission of guilt.

State Attorneys General Settlement

Under the settlement with 33 state attorneys general, Inmediata agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states and to improve its security.  Indiana led the multistate investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.

As Indiana Attorney General Rokita explains, “This settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security. This includes failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Indiana’s settlement.

Related posts:

  • Inmediata Health Group notifies covered entities’ patients after exposure of PHI on web
  • HHS OCR settles charges that Inmediata Health Group exposed 1.6 million patients’ PHI online
  • Inmediata Data Breach $1.1M Class Action Settlement
Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataHIPAALegislationOf NoteState/LocalU.S.

Post navigation

← CISA Advisory: Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.