Minnesota to get $90K in settlement with health care company for 2019 data breach

A company responsible for handling sensitive medical data will pay $1.4 million for its response to a 2019 breach that allowed personal information to show up in common search engine results.

Minnesota Attorney General Keith Ellison, along with 32 other state attorneys general, reached a settlement with the health care clearinghouse company Inmediata for a data breach that exposed the protected health information of about 1.5 million people for almost three years.

The breach reportedly impacted 113,208 Minnesotans. The state will receive a total of $93,157 out of the $1.4 million national settlement, according to a news release from the Minnesota Attorney General’s Office.

Officials say that money will go to the state’s general fund, which the state legislature is responsible for allocating.

Inmediata worked to facilitate transactions between health care providers and insurers across the country.

The breach meant that the protected health data maintained by Inmediata was available online and was indexed by search engines. Sensitive information was available to anyone who searched for it and could subsequently be downloaded.

Court documents say that the U.S. Department of Health and Human Services’s Office of Civil Rights alerted the company to the breach on Jan. 15, 2019, but Inmediata delayed notifying those impacted for more than three months. The company then sent misaddressed notices, which left out sufficient details, causing many to dismiss the notices.

The company was accused of violating consumer protection laws, breach notification laws and HIPAA laws by failing to secure the data they were handling, not conducting a secure code review and not properly notifying the people the breach impacted.

The resulting settlement includes an agreement from Inmediata to strengthen its data security and breach notification practices. This includes adding an information security program with “code review and crawling controls,” an incident response plan and procedures for consumer notification letters. The news release states that the company will be subject to third-party security assessments for five years.

Minnesota Attorney General Keith Ellison released the following statement on the settlement:

“Companies that hold sensitive information must take the utmost care to keep it secure. If a breach does occur, it is their duty under law to alert those affected and rectify the issue as soon as possible. Inmediata both failed to protect sensitive data and failed to promptly and accurately notify consumers of the breach. As a result, they exposed 113,000 Minnesotans to the risks of identity theft. I will hold companies accountable whenever they mishandle sensitive consumer data.”

Attorney General Keith Ellison

Authorities say the multistate effort was led by the attorney general of Indiana. The other states in the lawsuit are Connecticut, Michigan, Tennessee, Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia and Wisconsin.