Inmediata, a clearinghouse service provider to healthcare organizations, notified some of its patients in April that their protected health information (PHI) were exposed on the web because of a misconfiguration of an internal webpage.
The Department of Health and Human Services’ Office for Civil Rights already received the breach report, which indicated that the PHI of 1,565,338 persons were exposed. The data breach is listed as the largest incident reported in 2019.
The data was given to employees by way of an internal webpage. However, a misconfiguration of the page made the data accessible online without any authentication. Google indexed the page and so anyone searching for the patient information could find it.
The data came from health plans, hospitals, and independent doctors. The following information were included: patients’ names, addresses, birth dates, gender, claims information and Social Security numbers for some patients.
Inmediata without delay took the webpage offline upon discovering that patient data were exposed. A computer forensics company conducted an investigation to find out if any unauthorized person accessed the patient information during the period it was accessible on the internet.
Although the investigators did not find any proof to indicate that unauthorized persons accessed or copied the information, unauthorized data access can’t be completely ruled out.
Inmediata began mailing breach notification letters to impacted persons on April 22, 2019. Besides the large data breach that already occurred, further impermissible PHI disclosures happened when Inmediata responded to the breach.
People reported that they received breach notification letters not addressed to them but to another. Furthermore, a number of people made complaints about the notification that the facts about the company and the reason why the patients’ information were in their possession were not clearly communicated.