PHI of 1.5 Million Individuals Exposed Online by Inmediata
In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.
The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.
The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.
The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.
While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.
Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.
Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.
You can read more about the mailing error on this link.