Stemming from a 2019 data breach that impacted nearly 1.6 million patients, Puerto Rico-based Inmediata Health Group reached a $1.13 million settlement to resolve a class-action lawsuit. The lawsuit alleged that the healthcare clearinghouse failed to secure protected health information (PHI).
Under HIPAA, organizations must notify patients of healthcare data breaches within 60 days. But Inmediata began notifying patients that their data was potentially compromised in mid-April 2019, despite the fact that the breach occurred in January.
The breach occurred when a misconfigured web setting allowed search engines to index internal webpages. The website leaked medical claim information, demographic details, and some Social Security numbers.
Inmediata immediately deactivated the website and engaged a digital forensics firm. The investigation found no evidence of data exfiltration or misuse as a result of the data leak.
But the situation escalated when some patients reported receiving multiple notification letters, some of which were addressed to different patients. The mailing errors caused some patients to receive anywhere from one to five letters.
The lawsuit, which was filed in August 2019, alleged that Inmediata failed to implement adequate security measures and failed to notify impacted individuals of the breach within a reasonable timeframe.
The $1,125,000 settlement will cover all administrative expenses and approved claims to settlement class members. In addition, Inmediata will pay the cost of Kroll’s Web Watcher Services for settlement class members who choose to enroll.
The healthcare clearinghouse also agreed to pay incentive awards to representative plaintiffs, at a maximum of $2,000 for each, as well as attorneys’ fees and costs for the class counsel.
Data breach victims are entitled to submit claims for fraudulent charges, credit monitoring services, and out-of-pocket losses.
“The Plaintiffs claim that Inmediata failed adequately to protect their personal information and that they were injured as a result. Inmediata denies any wrongdoing, and no court or other entity has made any judgment or other determination of any wrongdoing or that the law has been violated,”
the settlement website states.
“Inmediata denies these and all other claims made in the lawsuit. The Court has not decided that Inmediata did anything wrong and the Settlement does not mean Inmediata is admitting that it did anything wrong. Both the Plaintiffs and Inmediata believe that the Settlement is fair, adequate, and reasonable and that it is in the best interests of the Settlement Class.”
Class members have until March 21, 2022, to file a claim form and until April 19, 2022 to exclude themselves from the settlement. The final hearing will take place on April 21.