Healthcare breach of 1.5M records made worse by notifications sent to wrong addresses

Editor's Note: This story has been updated to include statements from Inmediata CEO and president Mark Rieger

 

Inmediata Health Group, a healthcare clearinghouse, notified patients last month that at least 1.56 million people had their personal health data potentially exposed due to a misconfigured website.

And if the cyber breach weren't bad enough, patients who received breach notification letters from Inmediata reported receiving multiple letters, some of which were addressed to other patients.

Inmediata Health Group works out of San Juan, Puerto Rico and Charlotte, North Carolina and posted a notice on its website April 24 that it recently became aware of a data security incident that may have involved the limited personal and medical information of some of its customers’ patients.

The company said it was mailing notification letters to the potentially impacted individuals to notify them they may have been affected and to provide resources to assist them.

The company provides clearinghouse services, as well as software and business process outsourcing tools for health plans, hospitals, and independent physicians. According to the company's website, its business partners include FHC, First Medical, Humana, Humana Military and some Medicare plans.

In an emailed statement, Mark Rieger, Inmediata president and CEO, said the data involved "is almost exclusively very basic data that poses minimal risk."  He said the company mailed out notification letters because "we wanted to be sure to let the individuals know because it was the right thing to do.”

RELATED: Misconfigured database leads to major data breach at UW Medicine

The company said in the online notice that it became aware in January 2019 that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations.

"Immediately after we became aware of the incident, we deactivated the website and engaged an independent digital forensics firm to assist with an investigation," the company said in the online notice. 

Based on the current findings of the ongoing investigation, there is no evidence that any files were copied, or saved. In addition, to date the company has not discovered any evidence to suggest that any information potentially involved in this incident has been subject to actual or attempted misuse, Inmediata officials said in a statement.

The information potentially involved in this incident may include patients’ names, addresses, dates of birth, gender, and medical claim information, the company said. 

A "very small group of the potentially impacted people" may have Social Security numbers involved as well, according to the company.

There is no indication, based on the notice posted on the website, that the company is offering free credit monitoring services as many companies do in the wake of a data breach.

"Data is the most important asset that healthcare has and it must be protected by all covered entities, business associates, and other third-party vendors. We are still not protecting patient or member data the way that ensures privacy and security for all. Accidental, intentional, criminal or simply a 'mistake,' a breach of that information is still a breach," David Finn, executive vice president of strategic innovation at cybersecurity firm CynergisTek told Fierce Healthcare.

The company began mailing notification letters to the potentially affected individuals directly on April 22, 2019. The letters mailed to the affected individuals specifically state what data of theirs may have been impacted.

RELATED: Oregon DHS data breach may have exposed private data of 350K people

Patients soon began commenting on DataBreaches.net that Inmediata made drastic errors when mailing out the notification letters—people reported receiving multiple notification letters, many with the names of people who are unknown to them and who do not live at their address. 

The comments, posted by at least 22 people, suggest that the mailing errors exposed patients’ names to other patients. In the comments, patients voiced frustration that when they called Inmediata's toll-free call center they did not get more specific answers about the breach or about the mailing errors.

One commenter said, "Got 2 letters, 1 with my name and address, 1 with someone else’s name and my address, called and put on hold for over 15 minutes."

Another commenter wrote, "I got 5 letters, one with my husband’s name, one with my son’s, and 3 more for people who have nothing to do with us or our address. I called today, they took down the names of the three people whose letters were sent to us and couldn’t comment further—other than they are getting a lot of these calls. I also asked for them to tell me where the breach occurred and they told me to expect a call back on that in 3 days. We shall see."

In his emailed statement, Rieger said, “We regret any concern and inconvenience this may have caused those who received a notification letter from us. Our priority was to provide notice to those who were affected by this issue as quickly as possible." 

He said Inmediata and its contracted mailing vendor performed "numerous address integrity tests to minimize the invalid address risks." 

"This effort resulted in correcting several hundred thousand addresses prior to mailing. We accept that it was not possible to be perfect given the magnitude of the forensic effort, the time between discovery and notification requirements, the age of the data, and the syntax of the data set," he said.

He also said individuals are encouraged to use standard USPS procedures for an invalid address.

Finn said the erroneous mailings of breach notification may represent another breach under HIPAA, depending on the data included. And, the incident highlights the importance of strong data governance, security, and privacy of patients' protected health information, he said. "Like so many organizations, it appears they did not have a good, tested breach response plan in place," he said.

Other patients also commented that they did not recognize the company's name when they received the letter, and without context, they didn't understand why the company had their data or what services it provides.

A number of patients also were alarmed at the delay in notification as the company discovered the data breach in January but didn't post the online notice until April 24.