BreachExchange mailing list archives
Mailing Error for Inmediata, While Reporting Health Data Breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 2 May 2019 00:42:20 -0500
https://healthitsecurity.com/news/mailing-error-for-inmediata-while-reporting-health-data-breach Inmediata Health Group recently began notifying patients that their personal health data was potentially exposed due to a misconfigured website. But in the process of mailing breach notification letters to victims, patients have reportedly received multiple letters, some of which were addressed to other patients. The health administrator provides clearinghouse services, as well as software and business process outsourcing tools for health plans, hospitals, IPAs, and independent physicians. In January, officials discovered some electronic health information was left exposed online by a webpage setting that allowed search engines to index Inmediata’s internal webpages used for business operations. Upon discovery, the webpage was deactivated, and Inmediata hired an outside forensic firm to investigate. They determined the compromised data included patient names, addresses, dates of birth, gender, and medical claims data. For a small group of patients, Social Security numbers were potentially breached. Officials said they found no evidence anyone copied or saved the exposed files. Inmediata began sending letters to the breach victims with details on just what data was potentially breached during the security incident on April 22. However, those patients soon began commenting on DataBreaches.net that the health administrator made severe mailing mistakes during the process. According to those patients, they received multiple letters, some of which were addressed to other patients. One breach victim received two letters, one addressed to them and the other addressed to another patient. Another patient received five letters, two of which were properly addressed, but the other three were meant for three different people who had never lived at their address. “I called today, they took down the names of the three people whose letters were sent to us and couldn’t comment further – other than [to say] they are getting a lot of these calls,” the patient wrote. “I also asked for them to tell me where the breach occurred, and they told me to expect a call back on that in three days.” “I have reached out to the CEO Mark Reiger for explanation of receipt of four different letters that came to my home with same address and four different names,” another patient commented. “How were all these different individuals input into systems for healthcare without a flag showing up?” Other patients commented that without context, they had no idea why Inmediata had their data, nor what service the company actually provides. Many expressed anger over the delayed breach response, as well: If the breach was first discovered in January, under HIPAA’s 60-day notification rule, reporting should have begun in March. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Mailing Error for Inmediata, While Reporting Health Data Breach Destry Winant (May 02)