A mailing error at Inmediata has seen breach notification letters being sent to the incorrect addresses.
Inmediata was sending the breach notification letters after it was discovered that a webpage that should have only been accessible to Inmediata employees was indexed by search engines and therefore publicly available. This security breach was the result of misconfigured security settings.
The compromised webpage contained patient PHI. Although investigators did not find evidence suggesting that any unauthorised individuals had accessed, downloaded, or altered the PHI, they could not rule out the possibility. Therefore, following HIPAA’s Breach Notification rule, Inmediata prepared to notify affected patients of the security incident.
The webpage contained information such as patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed.
Inmediata started sending notification letters to affected individuals on April 22, 2019. However, several individuals have reported receiving letters addressed to other individuals.
The state of Michigan’s Consumer Protection Division received two such reports from state residents who received letters intended for other individuals. Databreaches.net also received multiple reports from consumers who had received letters in error.
Sometimes mailing errors are a result of individuals moving home and the entity’s database not being updated. Some of the comments suggest that the data had been held for some time. For instance, some letters were addressed to women using their maiden name. In one case, the patient had only used that name on one encounter with a healthcare provider 25 years previously.
The misaddressed letters only disclosed an individual’s name to others at the given address. No medical information was included in the letters. Although this does not harm the patients, the mailing error means some individuals will not have received letters and will be unaware that their PHI has been exposed. Consequently, they are unaware of the potential risks of the data breach.
Michigan Attorney General Dana Nessel and Department of Insurance and Financial Services (DIFS) Director Anita G. Fox issued a statement about the breach. They emphasised the protective measures that affected individuals can take to mitigate the risks of identity theft and fraud.
The letters have also left many individuals confused about who Inmediata is and why the company has their data. Similar confusion has arisen in the past when other business associates have issued breach notification letters.
A copy of the breach notification letter on the California Attorney General’s website states that “In January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations.”
“It would have been nice if they would have explained how they had [my wife’s] data in the first place since we have never heard of them,” wrote one commenter on databreaches.net report.
Further information on the mailing error will be made available here as and when it becomes available.