Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Nebraska: AG announces $1.4M settlement with Inmediata over data breach
On October 17, 2023, the Nebraska Attorney General (AG), Hilgers, announced, that they, along with 32 other AGs had come to a settlement of $1.4 million with Inmediata Health Group Corp. (Inmediata), for violations of the state consumer protection laws, breach notification laws, and Health Insurance Portability and Accountability Act of 1996 (HIPAA), following a data breach.
Background to the settlement
In particular, the AG noted that the data breach occurred due to a coding issue that exposed the protected health information (PHI) of approximately 1.5 million consumers for almost three years. The AG further stated that the U.S. Department of Health & Human Services' Office of Civil Rights alerted Inmediata that the PHI maintained by Inmediata was available online and had been indexed by search engines, as a result of which, sensitive patient information could be viewed through online searches and potentially downloaded by anyone with access to an internet search engine.
Findings of the AG
The AG found that although Inmediata was alerted to the data breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices, which were unclear and without sufficient details or context, leading recipients to dismiss the notices as illegitimate. Finally, the AG found that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach and failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Outcomes
Under the settlement, Inmediata has agreed to make a $1.4 million payment to states and strengthen its data security and breach notification practices, including implementation of a comprehensive information security program with specific security requirements, including code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third party security assessments for five years.
You can read the press release here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
