Inmediata Health Group, Corp. recently announced they found a misconfigured webpage in January that allowed unauthorized access to patient data. Inmediata is a provider of clearinghouse services, software, and business processing solutions to health plans, hospitals, IPAs, and independent physicians. It is responsible for medical billing and administrative services for health care providers and health plans nationwide. The misconfigured webpage allowed search engines to index Inmediata’s internal webpages, and some electronic health information was able to be viewed publicly.
Upon discovery in January, the webpage was deactivated. Inmediata hired an outside forensics firm to investigate the breach and its impact on patients. They determined the compromised data included patient names, addresses, dates of birth, gender, and medical claims data. Social Security numbers were potentially released on a small number of these patients as well, though the investigation determined no one copied or saved the exposed files.
To compound matters further, patients impacted by the breach are reportedly receiving multiple breach notification letters from Inmediata, and many were addressed to the wrong patient. Many people who received the letter had no idea why Inmediata had their personal information to begin with, while others were incensed that the reports of the breach did not happen within the 60-day notification HIPAA rule. Michigan Attorney General Dana Nessel said her office was alerted to the breach by two customers notified by the company via multiple misaddressed letters on April 22.
There is currently no information available on how many individuals were affected and how long the webpage was publicly accessible.
The incident brings to the spotlight the issue of outside vendor errors affecting another company’s compliance. Always verify you are working with HIPAA compliant vendors and be sure to have a business associate agreement in place from the start of their contract that states they are responsible for appropriate security measures. You should also verify that the business associates ensure their HIPAA compliance with annual security awareness training. If you discover you are working with a non-compliant vendor, now would be a great time to reconsider your relationship.