Health information of 1,565,338 people made public online
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) concluded their investigation of Inmediata Health Group, resulting in a $250,000 settlement.
OCR began their investigation in 2018 after being notified that HIPAA protected health information (PHI) was accessible to search engines like Google.
HIPAA violations
OCR discovered that between May 2016 and January 2019 1,565,338 individuals’ health information was made available online. According to an HHS release, breached information included names, birthdays, addresses, Social Security numbers, claims information, diagnosis/conditions, and other treatment information.
During their investigation, OCR also found additional HIPAA violations. These included, “failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems’ activity.”
HHS said, “OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement.”
