Inmediata, a provider of clearinghouse services and business process software, has agreed to settle a class action lawsuit filed by victims of its 2019 security breach that exposed the protected health information of more than 1.56 million individuals.
In January 2019, Inmediata discovered a misconfiguration on its website resulted in internal web pages containing electronic protected health information (ePHI) being accessible over the Internet. The web pages were indexed by the search engines and could be found in the search engine listings. The exposed information was mostly limited to names, addresses, dates of birth, gender, and medical claim information. A small percentage of individuals also had their Social Security numbers exposed. When sending notification letters to affected individuals, errors were made by its mailing vendor that resulted in letters being sent to incorrect individuals. Some individuals reported receiving multiple notification letters, with some containing the names of other patients. The notification letters were sent in April 2019, three months after the data breach was discovered. Inmediata’s investigation found no evidence to suggest any information on the web pages had been viewed or copied by unauthorized individuals, but it was not possible to rule out unauthorized ePHI access.
In April 2019, a class action lawsuit – Jessie Seranno et al. v. Inmediata Corp. and Inmediata Health Group Corp – was filed on behalf of victims of the breach that alleged Inmediata had failed to implement appropriate information security measures to keep individuals’ protected health information private and confidential, and also unnecessarily delayed issuing breach notification letters.
Inmediata has not admitted any wrongdoing and does not accept any liability for the data breach but has decided to settle the case to avoid further legal costs and the uncertainty of a jury trial. Under the terms of the settlement, Inmediata will set up a $1.125 million fund to cover claims from the plaintiffs and class members.
All class members will be entitled to submit claims of up to $2,500 as reimbursement for documented out-of-pocket expenses incurred in relation to the data breach, including the costs incurred from credit monitoring services, fees, and any fraudulent charges on their accounts, as well as up to three hours of time at a rate of $15 per hour. A further $50 or more can be claimed by all breach victims who were living in California at the time of the breach, as required by the California Confidentiality of Medical Information Act (CMIA). The amount available to cover CMIA claims will be determined by the number of individuals who submit a claim. All class members will also be entitled to a complimentary membership to Kroll’s Web Watcher credit and identity theft monitoring service.
The plaintiffs and class members have until March 21, 2022, to submit their claims, exclude themselves, or object to the settlement. The final approval hearing is scheduled for April 21, 2022.
The post Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million appeared first on HIPAA Journal.