Share this article on:
Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people.
The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed.
The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out.
Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed.
Inmediata started sending notification letters to affected individuals on April 22, 2019 but something appears to have gone awry when sending those letters. Several individuals have reported receiving misaddressed letters.
The state of Michigan’s Consumer Protection Division received two such reports from state residents who received letters intended for other individuals. Databreaches.net also received multiple reports from consumers who had received letters in error.
Such an error could have occurred as a result of individuals moving home and data not being updated. Some of the comments suggest that the data had been held for some time. For instance, some letters were addressed to women using their maiden name. In one case, a last name that was used on one encounter with a healthcare provider 25 years previously.
The misaddressed letters only disclosed an individual’s name to others at an address. While that is unlikely to result in harm to patients directly, the mailing error means some individuals will not have received letters and will be unaware that their PHI has been exposed. Consequently, they would not know to take steps to protect their identities.
Michigan Attorney General Dana Nessel and Department of Insurance and Financial Services (DIFS) Director Anita G. Fox issued a statement about the breach highlighting steps that affected individuals can take to protect themselves against identity theft and fraud, although the breach was not confined to Michigan residents.
The letters have also left many individuals confused about who Inmediata is and why the company has their data – An issue that has arisen in the past when other business associates have issued breach notification letters.
A copy of the breach notification letter on the California Attorney General’s website (PDF) states that “In January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations.”
Greater clarity about who the company is and why an individual’s data was held would have avoided such confusion.
“It would have been nice if they would have explained how they had [my wife’s] data in the first place since we have never heard of them,” wrote one commenter on databreaches.net report. A sentiment echoed by several other commenters.
Further information on the mailing error will be made available here as and when it becomes available.