Puerto Rico-based health care clearinghouse Inmediata Health Care Group LLC agreed to pay $1.4 million to a coalition of 32 states and Puerto Rico and overhaul its data security and breach notification practices in a settlement agreement over a 2019 breach that exposed the electronic protected health information (ePHI) of approximately 1.5 million consumers for almost three years, the states announced.
The settlement—one of two state-based settlements involving PHI announced in October—resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws and HIPAA by failing to implement reasonable data security.
This includes failing to conduct a secure code review at any point prior to the breach and then failing to provide affected consumers with timely and complete information regarding the breach, according to Indiana Attorney General Todd Rokita, who led the coalition.
In January 2019, the HHS Office for Civil Rights alerted Inmediata that ePHI held by Inmediata was exposed online, according to settlement documents.
Inmediata’s investigation revealed that a coding issue allowed two webpages to be indexed by Bing Bots beginning May 16, 2016, and continuing through Jan. 15, 2019, the settlement said.