The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 1.5 Million Individuals Exposed Online by Inmediata

Posted By on May 22, 2019

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.

The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.

The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.

While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.

Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.

Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.

You can read more about the mailing error on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist