Inmediata Health Group settles for $250,000 over HIPAA violations in data breach

In a significant development, Inmediata Health Group, a Puerto Rico-based healthcare clearinghouse, has agreed to a $250,000 settlement with federal regulators over violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement is the latest repercussion of a data breach that exposed the personal health information (PHI) of nearly 1.6 million individuals between 2016 and 2019, marking another chapter in the ongoing fallout for the company.

Initially discovered in January 2019, the breach involved the inadvertent online exposure of sensitive PHI, including patient names, dates of birth, Social Security numbers, home addresses, medical diagnoses, treatment information, and claims details. The information, accessible through internet search engines, resulted from a misconfigured webpage setting that allowed internal business operations pages to be indexed.

The breach triggered a series of investigations and legal actions. The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) initiated a probe after receiving complaints in 2019. Inmediata notified the affected individuals and reported the incident to federal authorities, acknowledging the misconfiguration.

HHS OCR’s investigation uncovered multiple HIPAA Privacy and Security Rules violations. These included the impermissible disclosure of PHI and a failure to conduct a security risk analysis to identify vulnerabilities in its electronic health information systems. Additionally, the company did not adequately monitor and review its systems for unauthorized activity.

This latest settlement adds to Inmediata’s mounting financial burden. The company paid $1.4 million in 2023 to settle claims brought by 33 state attorneys general and an additional $1.1 million in a federal class-action lawsuit earlier this year. Combined, these penalties have cost Inmediata $2.7 million in settlements.

After discovering the breach, Inmediata took steps to mitigate the damage. The company deactivated the compromised website and enlisted an independent digital forensics firm to conduct a thorough investigation. As part of its 2023 settlement with state attorneys general, Inmediata committed to strengthening its data security protocols to address the deficiencies identified during the federal investigation.

Interestingly, the $250,000 settlement with HHS OCR does not include additional corrective action requirements. HHS OCR acknowledged that the measures mandated by the prior settlement with state authorities sufficiently addressed its concerns. Inmediata has not issued a public statement regarding the latest settlement with HHS OCR.