AG Yost Announces Data Breach Settlement with Health-Care Clearinghouse
(COLUMBUS, Ohio) — Ohio Attorney General Dave Yost and 32 of his counterparts announced today that a settlement has been reached with Inmediata over the three-year exposure of the protected health information of 1.5 million consumers.
As part of the settlement, the health-care clearinghouse has agreed to fully revamp its data-security protocols and breach-notification procedures, and to pay $1.4 million to the participating states. Ohio will receive $56,041 of the settlement money.
“Data privacy should be paramount. In the event of a breach, it is the company's responsibility to promptly notify consumers,” Yost said. “We are actively working to mitigate this issue and safeguard the interests of Ohioans.”
Inmediata, based in San Juan, Puerto Rico, facilitates transactions between health-care providers and insurers throughout the United States.
In January 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that, dating as far back as May 2016, protected health information maintained by the company had been exposed online and indexed by search engines. The breach meant that anyone with internet access could have accessed and potentially downloaded the sensitive patient information.
Despite the alert from the federal government, Inmediata put off notifying the affected consumers for more than three months, and, when the company finally did, in some cases they sent notices to incorrect addresses of patients. In addition, the notices lacked clarity, leaving many consumers confused about why Inmediata had their data and leading some to dismiss the notices as illegitimate.
The settlement resolves allegations made by the attorneys general that Inmediata violated state breach notification laws and the federal Health Insurance Portability and Accountability Act (HIPAA).
The violations center on Inmediata’s failure to implement reasonable data security and its neglect of secure-code reviews before the breach and, after learning about the data exposure, its failure to provide timely and comprehensive information about the breach to consumers.
Under the settlement, Inmediata will strengthen its data security and breach-notification practices going forward. This includes implementing a comprehensive information-security program, developing an incident-response plan with specific policies and procedures for notification letters, and undergoing annual third-party security assessments for five years.
Joining Yost in the settlement are the attorneys general of Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin.
If you need assistance as an identity-theft victim or if you suspect a scam or an unfair business practice, contact the Ohio Attorney General’s Office at www.OhioProtects.org or 800-282-0515.