In April 2019, Puerto-Rico headquartered Inmediata issued a press release concerning a data leak it had discovered in January of that year. The business associate’s press release explained, in relevant part:
In January 2019, Inmediata became aware that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that Inmediata uses for business operations. Immediately after Inmediata became aware of the incident, the company deactivated the website and engaged an independent computer forensics firm to assist with an investigation. Based on the current findings of the ongoing investigation, Inmediata has no evidence that any files were copied or saved. In addition, Inmediata has yet to discover any evidence to suggest that any information potentially involved in this incident has been subject to actual or attempted misuse.
The information potentially involved in this incident may include patients’ names, addresses, dates of birth, gender, and medical claim information. A very small group of the potentially impacted people may have Social Security numbers involved as well. The letters mailed to the affected individuals specifically state what data of theirs may have been impacted.
To make matters worse, in the process of notifying affected individuals of the exposure, Inmediata experienced a second breach. As this site reported at the time:
Many people are reporting that they have received multiple notification letters from Inmediata — many with the names of people who are unknown to them and who do not live at their address.
The multiple notifications resulted in complaint calls to the state, who, unsurprisingly, opened an investigation. And by August, a potential class action lawsuit had been filed.
Serrano v. Inmediata has now settled. Under the terms of the settlement, Inmediata admits no wrongdoing, but pays up to $1.125 million to class members. You can read more about the terms of settlement on Top Class Actions.