Ohio Attorney General Dave Yost and 32 of his counterparts announced that a settlement has been reached with Inmediata over the three-year exposure of the protected health information of 1.5 million consumers. As part of the settlement, the healthcare clearinghouse has agreed to fully revamp its data-security protocols and breach-notification procedures, and to pay $1.4 million to the participating states. Ohio will receive $56,041 of the settlement money. Inmediata, based in San Juan, Puerto Rico, facilitates transactions between healthcare providers and insurers throughout the United States.
In January 2019, the US Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that, dating as far back as May 2016, protected health information maintained by the company had been exposed online and indexed by search engines. The breach meant that anyone with internet access could have accessed and potentially downloaded the sensitive patient information. Despite the alert from the federal government, Inmediata put off notifying the affected consumers for more than three months, and, when the company finally did, in some cases they sent notices to incorrect addresses of patients. In addition, the notices lacked clarity, leaving many consumers confused about why Inmediata had their data and leading some to dismiss the notices as illegitimate. The settlement resolves allegations made by the attorneys general that Inmediata violated state breach notification laws and the federal Health Insurance Portability and Accountability Act (HIPAA).
