The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opted to resolve the alleged HIPAA Privacy and Security Law violations with Inmediata Health Group, a healthcare clearinghouse in Puerto Rico.
OCR uncovered the HIPAA violations while investigating the compromise of patients’ electronic protected health information (ePHI) online. A complaint was filed with OCR on November 16, 2018 claiming that patients’ ePHI kept by Inmediata was accessible online. OCR’s investigation confirmed the allegations and established that 1,565,338 individuals’ ePHI was accessible to the public online from May 16, 2016 to January 23, 2019, indexed by search engines. Inmediata reviewed the breached information and confirmed the online exposure of names, birth dates, home addresses, claims data, diagnosis/disorders, other treatment details, and Social Security numbers.
OCR stated that the breach of ePHI was a violation of the HIPAA Privacy Rule. Inmediata also violated the HIPAA Security Rule through its failure to perform a thorough, company-wide risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI, and an inability to keep track of activity in data systems that contain ePHI.
Inmediata decided to negotiate the alleged HIPAA violations paying a $250,000 penalty. This type of violation that has continued over two years would usually require a higher financial penalty and a tougher corrective action plan. Because of the settlement of the alleged HIPAA violations, the penalty was minimized and no corrective action plan was required by OCR since the corrective demands specified in a 2023 multi-state action had been addressed. Inmediata, Puerto Rico, and 32 U.S. State Attorneys General agreed with the 2023 settlement that included a $,400,000 financial penalty and corrective action plan to deal with the noncompliance problems. Inmediata likewise resolved a 2022 class action lawsuit associated with the data breach for $1,125,000.
Healthcare organizations need to make sure that patient health data is not accessible on the internet by any person with an internet connection. Efficient cybersecurity means being protective and cautious in locating risks and vulnerabilities to medical information and blocking unauthorized access to patient medical data.
OCR is specifically active this 2024 in implementing HIPAA compliance. It has investigated 16 HIPAA violation cases resulting in financial fines. In 2024, nine HIPAA-covered entities proposed a settlement to resolve supposed HIPAA Rules violations, whereas OCR has enforced 7 civil monetary penalties. Because of its enforcement activities in 2024, OCR has accumulated $9,228,465 in financial penalties.