A “large data security incident” is the subject of a proposed class action lawsuit filed against Inmediata Health Group Corp. over its alleged failure to adequately protect the sensitive information of over 1.5 million consumers.
The case explains that Puerto Rico-based Inmediata, a software and service solutions company that caters to healthcare providers, was obligated under HIPAA to carefully safeguard the confidential consumer data entrusted to it by clients. Despite this obligation, the defendant, the case says, announced in late April 2019 that “some electronic health information” was “searchable, findable, viewable, and downloadable” online due to a webpage setting that allowed search engines to index pages Inmediata used for business purposes. As a result, the lawsuit alleges, the private information—including names, addresses, Social Security numbers, dates of birth, gender, dates of medical service, diagnosis codes, procedure codes and treating physicians—of 1,565,338 consumers may have been exposed to unauthorized parties.
“This data should have received the most rigorous protection available,” the complaint argues, yet, “it did not.”
The lawsuit alleges that although Inmediata discovered the security breach “no later than” January 2019, the company waited until April to notify potentially affected consumers. The three plaintiffs say they each received a letter from Inmediata dated April 22, 2019 in which the company admitted that their data may have been compromised and urged tproposed class members to “remain vigilant” by reviewing their accounts and credit reports. Despite acknowledging the “very real threat” that the incident could result in identity theft, fraud, and “other similar risks,” Inmediata, the case alleges, failed to provide any fraud insurance to victims and offered identity monitoring services only to those whose Social Security Numbers were exposed.
The plaintiffs claim that aside from offering some suggestions on how to respond to potential risks, the company seemingly failed to take “any measures” to assist victims of the data breach.
“Inmediata failed to make any additional effort to mitigate or remediate the damage caused by its failure to protect sensitive personal and medical information,” the complaint states.
According to the lawsuit, proposed class members will face “substantial costs and inconveniences” that extend well beyond fraudulent charges to their bank accounts.
“With access to an individual’s Personal Information,” the complaint reads, “criminals can do more than just empty a victim’s bank account—they can also commit all manner of fraud, including: obtaining a driver’s license or official identification card in the victim’s name but with the thief’s picture; using the victim’s name and SSN to obtain government benefits; or, filing a fraudulent tax return using the victim’s information.”
The lawsuit seeks to cover a proposed nationwide class of anyone whose personal information was compromised in the data breach detailed above, as well as three proposed subclasses of California, Florida, and Minnesota residents.