Press Releases
10/17/2023
Attorney General Tong Announces Multistate Settlement with Health Care Clearinghouse Inmediata for Data Breach Impacting 1.5 Million Consumers
(Hartford, CT) -- Attorney General William Tong today joined with 32 other attorneys general announcing a settlement with health care clearinghouse Inmediata for a coding issue that exposed the protected health information (“PHI”) of approximately 1.5 million consumers for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states. Connecticut will receive $60,154 from the settlement. Connecticut was part of a four-state executive committee leading the multistate investigation.“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine, and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Attorney General Tong.
As a health care clearinghouse, Inmediata facilitates transactions between health care providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.
Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.
Today’s settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.
Indiana led the multistate investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.
Assistant Attorneys General John Neumon and Laura Martella and Deputy Associate Attorney General Michele Lucan, Chief of the Privacy Section assisted the Attorney General in this matter.
- Twitter: @AGWilliamTong
- Facebook: CT Attorney General
Media Contact:
Elizabeth Benton
elizabeth.benton@ct.gov
Consumer Inquiries:
860-808-5318
attorney.general@ct.gov