Some patients of Inmediata, which provides clearinghouse services to healthcare organizations, received notifications in April about the exposure of their protected health information (PHI) online due to a misconfigured internal webpage.
The breach report received by the Department of Health and Human Services’ Office for Civil Rights indicated that 1,565,338 persons were affected. OCR listed this data breach as the biggest breach reported in 2019.
The information from independent doctors, hospitals and health plans was provided to personnel through an internal web page. However, the page misconfiguration allowed access to the data without requiring any authentication. Google indexed the web page as a result anyone doing a Google search for the patient data could access the information. These information were included in the web page: patients’ names, addresses, gender, birth dates, claims details and Social Security numbers of certain patients.
Inmediata expediently took down the webpage when it discovered the exposed patient data. A computer forensics firm investigated the incident to ascertain if any unauthorized individual viewed the patient data online when it was accessible.
Though the investigation showed no proof of unauthorized individuals accessing or copying the information, unauthorized information access cannot be 100 % ruled out.
Notifications letters to impacted persons were immediately issued by Immediata on April 22, 2019. Aside from the big data breach that transpired, another breach of PHI occurred during Inmediata’s breach response.
People claimed receiving breach notification letters not addressed to them but to some other person. Moreover, some people complained that the notification did not explain anything about the company or the reason why it had the patients’ information.