Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nebraska: AG announces $1.4M settlement with Inmediata over data breach

On October 17, 2023, the Nebraska Attorney General (AG), Hilgers, announced, that they, along with 32 other AGs had come to a settlement of $1.4 million with Inmediata Health Group Corp. (Inmediata), for violations of the state consumer protection laws, breach notification laws, and Health Insurance Portability and Accountability Act of 1996 (HIPAA), following a data breach.

Background to the settlement

In particular, the AG noted that the data breach occurred due to a coding issue that exposed the protected health information (PHI) of approximately 1.5 million consumers for almost three years. The AG further stated that the U.S. Department of Health & Human Services' Office of Civil Rights alerted Inmediata that the PHI maintained by Inmediata was available online and had been indexed by search engines, as a result of which, sensitive patient information could be viewed through online searches and potentially downloaded by anyone with access to an internet search engine.  

Findings of the AG

The AG found that although Inmediata was alerted to the data breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices, which were unclear and without sufficient details or context, leading recipients to dismiss the notices as illegitimate. Finally, the AG found that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach and failing to provide affected consumers with timely and complete information regarding the breach, as required by law.  

Outcomes

Under the settlement, Inmediata has agreed to make a $1.4 million payment to states and strengthen its data security and breach notification practices, including implementation of a comprehensive information security program with specific security requirements, including code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third party security assessments for five years.

You can read the press release here.