[BreachExchange] Mailing Error for Inmediata, While Reporting Health Data Breach

[Destry Winant]

https://healthitsecurity.com/news/mailing-error-for-inmediata-while-reporting-health-data-breach

Inmediata Health Group recently began notifying patients that their
personal health data was potentially exposed due to a misconfigured
website. But in the process of mailing breach notification letters to
victims, patients have reportedly received multiple letters, some of
which were addressed to other patients.

The health administrator provides clearinghouse services, as well as
software and business process outsourcing tools for health plans,
hospitals, IPAs, and independent physicians.

In January, officials discovered some electronic health information
was left exposed online by a webpage setting that allowed search
engines to index Inmediata’s internal webpages used for business
operations.

Upon discovery, the webpage was deactivated, and Inmediata hired an
outside forensic firm to investigate. They determined the compromised
data included patient names, addresses, dates of birth, gender, and
medical claims data. For a small group of patients, Social Security
numbers were potentially breached.

Officials said they found no evidence anyone copied or saved the exposed files.

Inmediata began sending letters to the breach victims with details on
just what data was potentially breached during the security incident
on April 22. However, those patients soon began commenting on
DataBreaches.net that the health administrator made severe mailing
mistakes during the process.

According to those patients, they received multiple letters, some of
which were addressed to other patients. One breach victim received two
letters, one addressed to them and the other addressed to another
patient. Another patient received five letters, two of which were
properly addressed, but the other three were meant for three different
people who had never lived at their address.

“I called today, they took down the names of the three people whose
letters were sent to us and couldn’t comment further – other than [to
say] they are getting a lot of these calls,” the patient wrote. “I
also asked for them to tell me where the breach occurred, and they
told me to expect a call back on that in three days.”

“I have reached out to the CEO Mark Reiger for explanation of receipt
of four different letters that came to my home with same address and
four different names,” another patient commented. “How were all these
different individuals input into systems for healthcare without a flag
showing up?”

Other patients commented that without context, they had no idea why
Inmediata had their data, nor what service the company actually
provides. Many expressed anger over the delayed breach response, as
well: If the breach was first discovered in January, under HIPAA’s
60-day notification rule, reporting should have begun in March.