Governance, Risk and Compliance, Incident Response, Privacy

$1.13M settlement proposed in Inmediata Health in lawsuit over 2019 data breach

“Cash Money (part two)” by jtyerse is licensed under CC BY-NC-ND 2.0

Inmediata Health Group has reached a $1.13 million settlement in its class action lawsuit with the 1.6 million patients affected by a 2019 cyber incident that resulted in a data breach and subsequent mailing error. The health administrator and service provider has not admitted to any wrongdoing.

Impacted individuals are eligible for up to $2,500 in reimbursement for out-of-pocket expenses, directly tied to recovery tied to the breach.

First reported in April 2019, some electronic health information was left exposed online from a misconfigured website beginning in January of that same year. The error was caused by a webpage setting that enabled search engines to index Inmediata’s internal webpages used in business operations.

Inmediata quickly moved to deactivate the webpage and determined patient names, addresses, dates of birth, gender, and medical claims data were potentially exposed. For a small subset of patients, Social Security numbers were compromised.

Notably, the investigation found no evidence that the exposed health data was copied or saved during the exposure period.

But a new privacy issue emerged when Inmediata began sending its notifications: some patients were receiving multiple notices addressed to other patients. Comments from affected patients pondered why Inmediata held their data in the first place, as well as how different individuals could be inputted into systems under the same patient without being flagged by the system.

Not only that, Immediata did not explain the delayed notices, sent far outside the 60-day timeframe required by The Health Insurance Portability and Accountability Act. The mailing error even prompted an investigation led by Michigan Attorney General Dana Nessel.

Filed in August 2019, the lawsuit called out these potential missteps, accusing Inmediata of “wrongful actions and inactions.” The breach victims called into question the delayed breach notices and the mishandling of notifications, which “indicate that [Inmediata] did not in fact reach all persons affected by the breach at that time, and may not ever have reached them.”

Inmediata is also accused of employing inadequate security measures, breaching implied contractual promise due to inadequate safeguards for protected health information, and negligence.

The lawsuit argues that patient data was “harvested by unauthorized individuals”, resulting in the “theft and dissemination into public domain of [breach victims’] personally identifiable information, causing them to suffer, and continue to suffer, economic damages and other actual harm.” No phrasing in the lawsuit provides evidence of these claims.

Inmediata has not admitted wrongdoing throughout the two-year legal negotiations. The settlement is designed to resolve these allegations. Victims are able to make claims for credit monitoring services, fraudulent charges, related fees, and up to three hours of lost time, billed at a rate of $15 per hour. Individuals must provide documentation supporting claims.

Breach victims who resided in California at the time of the incident are also eligible to receive another $50 payment through the Confidentiality of Medical Information Act. The settlement also sets aside free credit monitoring and identity theft monitoring.

A hearing to finalize the proposed settlement is scheduled for April 21.

It’s the second major healthcare data breach settlement reached in just under a month, but with staunchly different outcomes. At the end of January, Excellus reached a settlement over 14 separate cases that blasted the health plan’s security program after a systems’ hack went undetected for 18 months in 2013.

The settlement requires Excellus to overhaul its security program, with the proposed $4.3 million penalty going toward those efforts and attorneys’ fees. Excellus also did not admit any wrongdoing after years of legal negotiations. The cases spotlight the continued variances with healthcare data breach lawsuits.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.