Delaware News


Attorney General Jennings announces multistate settlement with Inmediata for data breach im

Department of Justice Press Releases | Fraud | Date Posted: Tuesday, October 17, 2023


Navy blue background featuring the Delaware state seal in the center

Attorney General Jennings announced today that Delaware, along with 32 other attorneys general, has reached a settlement with healthcare clearinghouse Inmediata for a coding issue that exposed the protected health information (“PHI”) of approximately 1.5 million consumers for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states. Delaware will receive $15,470 from the settlement.

“This settlement once again underscores our commitment to protecting Delaware citizens and holding companies accountable for breaches of customer data and vulnerabilities in their services,” stated Attorney General Jennings.

As a healthcare clearinghouse, Inmediata facilitates transactions between healthcare providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.

Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.

Today’s settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.

This matter was handled for the Delaware Department of Justice by the Fraud and Consumer Protection Division’s Consumer Protection Unit. Additional information regarding data security breaches can be found on the Department of Justice’s website.

image_printPrint


Graphic that represents delaware news on a mobile phone

Keep up to date by receiving a daily digest email, around noon, of current news release posts from state agencies on news.delaware.gov.

Here you can subscribe to future news updates.

Attorney General Jennings announces multistate settlement with Inmediata for data breach im

Department of Justice Press Releases | Fraud | Date Posted: Tuesday, October 17, 2023


Navy blue background featuring the Delaware state seal in the center

Attorney General Jennings announced today that Delaware, along with 32 other attorneys general, has reached a settlement with healthcare clearinghouse Inmediata for a coding issue that exposed the protected health information (“PHI”) of approximately 1.5 million consumers for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states. Delaware will receive $15,470 from the settlement.

“This settlement once again underscores our commitment to protecting Delaware citizens and holding companies accountable for breaches of customer data and vulnerabilities in their services,” stated Attorney General Jennings.

As a healthcare clearinghouse, Inmediata facilitates transactions between healthcare providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.

Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.

Today’s settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.

This matter was handled for the Delaware Department of Justice by the Fraud and Consumer Protection Division’s Consumer Protection Unit. Additional information regarding data security breaches can be found on the Department of Justice’s website.

image_printPrint


Graphic that represents delaware news on a mobile phone

Keep up to date by receiving a daily digest email, around noon, of current news release posts from state agencies on news.delaware.gov.

Here you can subscribe to future news updates.