After the breach at Inmediata that resulted to PHI exposure, the provider mailed notification letters to the affected people. But a number of folks submitted reports of getting notification letters that were addressed to another person.
The breach at Inmediata involved a webpage that company employees used internally, which was accidentally configured to allow its indexing by search engines. As a result, people could search on the internet to find the webpage and access the PHI of Inmediata customers’ patients.
Though forensic investigators did not get any proof that the webpage was accessed by unauthorized persons when it was accessible on the web, its possibility can’t be ruled out.
Unauthorized people could have viewed the following information on the webpage: patients’ names, addresses, birth dates of birth, gender, physician’s names, and medical claim data. The Social Security number of some people were also exposed.
Inmediata began mailing breach notification letters to the affected people on April 22, 2019. However, something has gone wrong in sending the letters. A number of people reported that they received letters with wrong addressee.
According to Michigan’s Consumer Protection Division, there were two reports received from state residents who received misaddressed letters. Databreaches.net likewise got several reports from consumers.
This sort of error could have happened because of people who might be moving home and did not update their data. Some comments imply that the information was kept for a while. For example, a number of letters were sent to women who use their maiden name. In one case, the addressee’s last name was used 25 years ago.
The misaddressed letters only exposed names to others. It is unlikely that the patients will be harmed by the mailing error. But some people failed to receive the notification letters and don’t know about the exposure of their PHI. Therefore, they won’t be able to do anything to safeguard their identities.
Department of Insurance and Financial Services (DIFS) Director Anita G. Fox and Michigan Attorney General Dana Nessel gave a statement regarding the breach mentioning how the affected people could protect their identity against theft and fraud, though the breach wasn’t limited to Michigan residents only. Because of the breach notification letters, many people became confused about Inmediata and it keeps their information.
More explanation about the company and its part in keeping the data of people would have prevented the confusion. Additional information about the mailing error will be posted here as soon as there’s update.