Attorney General Ellison reaches settlement in data breach impacting 113K Minnesotans
In bipartisan national settlement, health care clearinghouse Inmediata to overhaul data security and breach notification after 2019 data breach made sensitive medical information of 1.5 million Americans accessible via online search engines
Settlement worth $1.4M, $90K to Minnesota
October 23, 2023 (SAINT PAUL) — Minnesota Attorney General Keith Ellison announced today that he and a bipartisan coalition of 32 attorneys general have reached a settlement with health care clearinghouse Inmediata for a 2019 data breach that exposed the protected health information of approximately 1.5 million Americans for almost three years, including 113,208 Minnesota residents. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to the 32 states. Minnesota will receive $93,157 from the settlement.
As a health care clearinghouse, Inmediata facilitates transactions between health care providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that protected health information that Inmediata maintained was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.
Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.
“Companies that hold sensitive information must take the utmost care to keep it secure. If a breach does occur, it is their duty under law to alert those affected and rectify the issue as soon as possible,” said Attorney General Keith Ellison. “Inmediata both failed to protect sensitive data and failed to promptly and accurately notify consumers of the breach. As a result, they exposed 113,000 Minnesotans to the risks of identity theft. I will hold companies accountable whenever they mishandle sensitive consumer data.”
The bipartisan, multistate settlement resolves allegations of the attorneys general that Inmediata violated state consumer-protection laws, breach-notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.
Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements that include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.
Joining Attorney General Ellison in the bipartisan settlement are the attorney general of Indiana, who led the multistate investigation; the attorneys general of Connecticut, Michigan, and Tennessee, who served on the Executive Committee; and the attorneys general of Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.
