Utah Attorney General Sean D. Reyes recently announced that Utah, along with 32 other attorneys general, has reached a settlement with healthcare clearinghouse Inmediata for a coding issue that exposed protected health information (“PHI”) of approximately 1.5 million consumers for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and pay $1.4 million to the states. Utah will receive $17,502.00 from the settlement.
As a healthcare clearinghouse, Inmediata facilitates transactions between health care providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.
Although Inmediata was alerted to the breach on January 15, 2019, the company delayed notification to impacted consumers for over three months, then sent misaddressed notices. Further, the notices were unclear. Many consumers complained that, without sufficient details or context, they had no idea why Inmediata had their data. This may have caused recipients to dismiss the notices as illegitimate.
This settlement resolves allegations by the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security—including failing to conduct a secure code review at any point prior to the breach and then neglecting to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementing a comprehensive information safety program with specific security requirements that include code review and crawling controls, developing an incident response plan with specific policies and procedures regarding consumer notification letters, and completing annual third-party security assessments for five years.
Utah joined the Indiana-led, multistate investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, which included Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Washington, West Virginia, and Wisconsin.