Inmediata Health Group has agreed to a $250,000 settlement for HIPAA violations. The settlement follows a 2019 data breach that exposed the personal health information of nearly 1.6 million patients.
A breach at Puerto Rico-based clearinghouse Inmediata Health Group has led to the exposure of personal health information (PHI) to 1,565,338 patients. Following the breach, the company has settled for $250,000 with federal regulators for multiple HIPAA violations. To date, the incident has cost Inmediata $2.7 million in fines and civil settlements.
HHS OCR's investigation uncovered violations of both the HIPAA Privacy Rule, due to the unauthorized disclosure of PHI, and the HIPAA Security Rule. Specifically, Inmediata failed to conduct a required security risk analysis to identify vulnerabilities and did not adequately monitor its health information systems' activity.
In 2019, Inmediata encountered a technical problem that exposed patient data, making it publicly accessible without authentication. This incident resulted in Google indexing the information of over 1.5 million individuals. Although Inmediata conducted an investigation, it found no conclusive evidence regarding the breach's specifics. By 2023, Inmediata reached settlements for two major cases: a federal class-action lawsuit amounting to $1.125 million and a multi-state investigation totaling $1.4 million due to violations of HIPAA regulations and state breach notification laws.
Go deeper: Inmediata reaches $1.4 million settlement following HIPAA investigation
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Inmediata Health Group, LLC has reached a settlement following an investigation into potential HIPAA Security Rule violations. “Healthcare entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”
OCR’s investigation revealed that from May 2016 through January 2019, PHI for over 1.56 million individuals was publicly accessible online. “The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information. These impermissible disclosures of PHI were potential violations of the HIPAA Privacy Rule,” HHS said in the statement.
The investigation also found multiple HIPAA Security Rule violations. These included “failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI) in its systems, and to monitor and review its health information systems’ activity. The settlement resolves OCR’s investigation concerning this HIPAA breach.”
Under the settlement terms, Inmediata has paid OCR $250,000. OCR also issued guidance for healthcare entities to strengthen their cybersecurity practices. Recommendations include conducting regular risk analyses, implementing multi-factor authentication, encrypting ePHI, ensuring proper vendor agreements, and training staff on privacy and security responsibilities.
See also: HIPAA Compliant Email: The Definitive Guide
A data breach occurs when unauthorized individuals access, disclose, or steal sensitive information, such as personal data, financial records, or health information. This may happen due to hacking, misconfigured systems, employee negligence, or accidental exposure.
Individuals affected by a data breach may experience:
While the immediate consequences of a data breach can be severe, organizations can recover by:
Related: Recovering from a cyberattack