Attorney General Phil Weiser reaches settlement with health care tech company Inmediata for data breach affecting nearly 10,000 Colorado consumers
Oct. 17, 2023 (DENVER) – Attorney General Phil Weiser announced today that Colorado reached a settlement with health care technology company Inmediata for their role in exposing the protected health information of approximately 1.5 million consumers, including nearly 10,000 Coloradans.
Weiser joined 32 other attorneys general in announcing the multistate settlement, which requires Inmediata to overhaul its data security and breach notification practices. The company also agreed to pay the states $1.4 million, of which Colorado will receive just over $21,000.
“Because of their careless handling of private, sensitive health information, Inmediata let down Colorado doctors, hospitals, and most importantly patients,” Weiser said. “We can’t undo the harm this caused to consumers, but this settlement will ensure the company has stronger data security moving forward.”
In January of 2019, the federal government alerted Inmediata that sensitive patient information maintained by the company was available online, including through online searches, allowing anyone with access to an internet search engine to download the data. Despite that warning, Inmediata delayed notification to consumers for over three months and sent misaddressed, unclear notices that lacked sufficient details or context. Consumers were then unsure why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.
State attorneys general found that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law. Today’s settlement resolves those allegations.
Under the settlement, Inmediata agreed to implement a comprehensive information security program with specific security requirements. These include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and to undergo annual third-party security assessments for five years.
The $21,000 Inmediata will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.
Community Education and Communications Manager
(720) 508-6769 office | (303) 990-6691 cell