Puerto Rico software company Immediata Health Group, Corp. has agreed to pay $1.125m to settle a class-action lawsuit filed over a 2019 data breach.
The protected health information of more than 1.56 million individuals was exposed in the security incident, which was detected by Immediata in January 2019. Three months after the breach was discovered, the 20-year-old company began notifying individuals whose information may have been exposed in the attack.
In a statement released on April 26 2019, the company said that a webpage setting that permitted search engines to index internal webpages that Inmediata uses for business operations had caused some electronic health information to be viewable online.
Immediata provides clearinghouse services and a full suite of software and business process outsourcing solutions for health plans, hospitals, IPAs and independent physicians.
Information exposed in the incident may have included some of Immediata's customers' patients' names, addresses, dates of birth, gender and medical claim information. For some patients, Social Security numbers may have been involved as well.
In April 2019, a class action lawsuit – Jessie Seranno et al. v. Inmediata Corp. and Inmediata Health Group Corp – was filed on behalf of the victims. The suit alleged that Immediata had neglected to implement appropriate security measures to protect individuals' health information. It also accused the company of being too slow to send out breach notification letters to impacted individuals.
HIPAA Journal reports that errors were made by Immediata's mailing vendor, which caused notification letters to be sent to the wrong patients.
While Immediata has not admitted any wrongdoing in relation to the data breach, the company has opted to settle the case by setting up a $1.125m fund to cover claims from the plaintiffs and class members.
Under the terms of the agreement, all class members will be entitled to submit claims of up to $2500 as reimbursement for documented out-of-pocket expenses incurred in relation to the data breach. Valid expenses include the cost of credit monitoring services, fees and any fraudulent charges on their accounts, as well as up to three hours of time at a rate of $15 per hour.