CHARLESTON — West Virginia and 32 other state have reached a settlement with healthcare clearinghouse Inmediata for a coding issue that exposed the protected health information of approximately 1.5 million consumers for nearly three years.
Under the October 17 settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states. West Virginia will receive $15,915 from the settlement, according to Attorney General Patrick Morrisey's office.
Inmediata facilitates transactions between healthcare providers and insurers across the United States. On Jan. 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.
Morrisey
Although Inmediata was alerted to the breach on Jan. 15, 2019, Inmediata delayed notification to impacted consumers for more than three months and sent misaddressed notices.
“Consumers should be confident that their health information is being handled safely and securely,” Morrisey said. “Breaches like this could have been prevented with proper security measures in place. Inmediata knew of the breach and did not immediately report it to consumers, and that’s unacceptable.”
Further, the AGs say the notices were far from clear, noting that many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.
The settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata will strengthen its data security and breach-notification practices going forward. This includes implementing a comprehensive information-security program, developing an incident-response plan with specific policies and procedures for notification letters, and undergoing annual third-party security assessments for five years.
Indiana led the multistate investigation, assisted by the executive committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia and Wisconsin.