BALTIMORE, MD—Maryland Attorney General Anthony G. Brown on Wednesday announced that the State, along with 32 other Attorneys General, has reached a settlement with health care clearinghouse Inmediata for a coding issue that exposed the protected health information (“PHI”) of approximately 1.5 million consumers, including 16,423 in Maryland, for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states, of which Maryland will receive $26,132.
As a health care clearinghouse, Inmediata facilitates transactions between health care providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine. Inmediata was alerted to the breach on January 15, 2019, but the Attorney General alleged the company did not notify impacted consumers for over three months and many of the notices that were sent were misaddressed. Further, the Attorney General contended that Inmediata’s notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.
“As data breaches occur with greater frequency, it’s critical that Marylanders who are affected receive timely and accurate notice, with clear guidance about how their personal information may be affected and what steps they can take to protect themselves,” said Attorney General Brown. “Companies must provide adequate safeguards to protect consumers’ information. This settlement requires Inmediata to take the steps to ensure that consumer information is protected.”
Wednesday’s settlement resolves allegations that Inmediata violated Maryland’s Consumer Protection Act, Personal Information Protection Act, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementing a comprehensive information security program with specific security requirements to include code review and crawling controls; developing an incident response plan to include specific policies and procedures regarding consumer notification letters; and conducting annual third-party security assessments for five years.
In this settlement, Attorney General Brown joins the Attorneys General of Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, Tennessee, South Carolina, Utah, Washington, West Virginia, and Wisconsin.
Consumers with concerns about identity theft may contact the Attorney General’s Identity Theft Unit by calling 410-576-6491 or email to [email protected].
Photo by Sora Shimazaki from Pexels
