Patients impacted by Inmediata Health Group’s web exposure breach are reportedly receiving multiple breach notification letters, some addressed to other patients.
Inmediata Health Group recently began notifying patients that their personal health data was potentially exposed due to a misconfigured website, according to Health IT Security. In the process of mailing breach notification letters to victims, patients have reportedly received multiple letters, some of which were addressed to other patients.
The Department of Health and Human Services recently updated its breach reporting tool, which states that 1,565,338 patients were impacted by the security event.
The health administrator provides clearinghouse services, as well as software and business process outsourcing tools for health plans, hospitals, IPAs, and independent physicians.
In January, officials discovered some electronic health information was left exposed online by a webpage setting that allowed search engines to index Inmediata’s internal webpages used for business operations.
Upon discovery, the webpage was deactivated, and Inmediata hired an outside forensic firm to investigate. They determined the compromised data included patient names, addresses, dates of birth, gender, and medical claims data. For a small group of patients, Social Security numbers were potentially breached.
Officials said they found no evidence anyone copied or saved the exposed files.
Inmediata began sending letters to the breach victims with details on just what data was potentially breached during the security incident on April 22. However, those patients soon began commenting on DataBreaches.net that the health administrator made severe mailing mistakes during the process.
According to those patients, they received multiple letters, some of which were addressed to other patients. One breach victim received two letters, one addressed to them and the other addressed to another patient. Another patient received five letters, two of which were properly addressed, but the other three were meant for three different people who had never lived at their address.
“I called today, they took down the names of the three people whose letters were sent to us and couldn’t comment further – other than [to say] they are getting a lot of these calls,” the patient wrote. “I also asked for them to tell me where the breach occurred, and they told me to expect a call back on that in three days.”
“I have reached out to the CEO Mark Reiger for explanation of receipt of four different letters that came to my home with same address and four different names,” another patient commented. “How were all these different individuals input into systems for healthcare without a flag showing up?”
Other patients commented that without context, they had no idea why Inmediata had their data, nor what service the company actually provides. Many expressed anger over the delayed breach response, as well: If the breach was first discovered in January, under HIPAA’s 60-day notification rule, reporting should have begun in March.
Davis, Jessica. (2019, May 21). 1.5M Patients Impacted by Inmediata Breach, Mailing Issue. Health IT Security.