Inmediata Health Group notifies covered entities’ patients after exposure of PHI on web

From their press release:

Inmediata Health Group, Corp. (“Inmediata”) recently became aware of a data security incident that may have involved the limited personal and medical information of some of its customers’ patients. Inmediata is directly mailing notification letters to individuals who may have been affected by this incident and to provide resources to assist them.

In January 2019, Inmediata became aware that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that Inmediata uses for business operations. Immediately after Inmediata became aware of the incident, the company deactivated the website and engaged an independent computer forensics firm to assist with an investigation. Based on the current findings of the ongoing investigation, Inmediata has no evidence that any files were copied or saved. In addition, Inmediata has yet to discover any evidence to suggest that any information potentially involved in this incident has been subject to actual or attempted misuse.

The information potentially involved in this incident may include patients’ names, addresses, dates of birth, gender, and medical claim information. A very small group of the potentially impacted people may have Social Security numbers involved as well. The letters mailed to the affected individuals specifically state what data of theirs may have been impacted.

Although Inmediata is unaware of the misuse of any involved information, out of an abundance of caution, Inmediata began mailing notification letters to the potentially affected individuals directly on April 22, 2019. The notification letters also include information about the incident and steps potentially affected individuals can take to monitor and protect their personal information. Inmediata has a toll-free call center established to answer questions about the incident and related concerns. The call center is available Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern Time and can be reached at (833) 389-2392. Further information for all patients can be found at the Inmediata website at

About Inmediata
Founded in 2002 as a health care value-added intermediary providing clearinghouse services, today Inmediata provides a full suite of software and business process outsourcing solutions for health plans, hospitals, IPAs, and independent physicians. Inmediata leverages its claim adjudication, clearinghouse, practice management, electronic health record and health information exchange services to support administrative simplification and population health. For more details, visit

SOURCE Inmediata

Update: The comments below this post suggest a major screw-up in Inmediata’s incident response as far as the mailed notifications go. I do not know know if they used a third-party vendor to handle the mailing, but what I’m reading in comments is very disturbing, to say the least!

About the author: Dissent

38 comments to “Inmediata Health Group notifies covered entities’ patients after exposure of PHI on web”

You can leave a reply or Trackback this post.
  1. Hood - April 29, 2019

    Got one of those letters, so what’s the latest on this?

    • Dissent - April 29, 2019

      They haven’t updated the notice on their site and I haven’t seen anything else. But they just disclosed this less than a week ago, so I wouldn’t really expect any updates that quickly. If you have a concern, you might try to call them.

      • Angry Old Lady - April 30, 2019

        Don’t bother. I am pretty sure the young man I talked to was on drugs to keep him calm during people’s distressed reactions to this egregious failing of this crap company who won’t even pay for the Identity Theft support we all need – not that those companies are very good eithr.

  2. jane dailey - April 29, 2019

    Too bad they don’t offer any free monitoring after they screwed up and exposed us…I like the part in the letter that the call this an “Inconvenience”

    • Dissent - April 29, 2019

      If your SSN was involved, call and ask them to provide credit monitoring at their expense if you want it. In some states, they would be required to offer credit monitoring depending on the data types involved.

      • Really Angry Old Lady - April 30, 2019

        How do I find out what states require ID coverage when these money-grubbing healthcare people ignore their obligations to make things right for their customers! How bad is this data company – not profitability but integrity – if it can’t manage it’s own data but wants to make trillions allegedly managing exchanged data – and frankly when is the real medical community going to stop paying these frauds who jeopardize their patients and raise their blood pressure, blood sugar and desire to act out postally on IT companies and their leaders who are crap people?

  3. jatthump - April 29, 2019

    Got 2 letters, 1 with my name and address, 1 with someone else’s name and my address, called and put on hold for over 15 minutes, anyone know anymore than what’s currently out there?

    • Kelly - April 30, 2019

      I got 5 letters, one with my husband’s name, one with my son’s, and 3 more for people who have nothing to do with us or our address. I called today, they took down the names of the three people whose letters were sent to us and couldn’t comment further- other than they are getting a lot of these calls. I also asked for them to tell me where the breach occurred and they told me to expect a call back on that in 3 days. We shall see.

      • Dissent - April 30, 2019

        Did you get 5 envelopes or did you get 5 letters stuffed in one envelope?

  4. Sofia Latz - April 29, 2019

    I have reached out to the CEO Mark Reiger for explanation of receipt of 4 different letters.that came to my home with same address and 4 different names. How were all these different individuals input in a systems for healthcare without a flag showing up?

    • Dissent - April 29, 2019

      Ok, that *is* concerning. Keep all 4 letters as you may want to send them to HHS/OCR as a separate HIPAA complaint.

  5. Dave - April 29, 2019

    My wife got this letter (but addressed to her maiden name). It would have been nice if they would have explained how they had her data in the first place since we have never heard of them. I assume they must do some work for one of the providers my wife uses or used in the past, but we can’t tell from the letter.

  6. Susie Garr - April 29, 2019

    Same here my name that I used 25 years ago, at one Medical facility for childbirth, comes in letter and then today .>>>>> Smith with my address, same letter, so medical records from 25 years ago have been exposed, and someone else is using my address, well so glad that I listened to Clark Howard 15 years ago and froze all my credit!

  7. Jackie P - April 30, 2019

    It appears there are several here with the same experiences of mailings with correct addresses and incorrect names. I received one at the office address with a different persons name but because Inmediata is used here to check patient eligibility I opened the envelope and read the letter. As a health care provider using Inmediata this is a HUGE issue for us
    I also attempted to contact the “Please do not hesitate to call 1-833-389-2392” and after being on hold for an extended period of time was told by automated system I would need to call back. The letter received was signed by Mark Rieger CEO and reading the comments left here I think there is some more explanation needed.
    Mr. Rieger I would like to hear back from YOU.
    Inmediata had the correct address but wrong names on how many mailings… ?
    That’s a BIG problem and I expect a follow-up. ASAP

    • brett - April 30, 2019

      If you’re a provider using their service, I would expect you would have other methods to contact and a contract????

  8. L Smith - April 30, 2019

    My husband received this letter and also 1 with different name, our address. The following day 3 more different names our address. None of them ever lived at our address. What is up with this? Seems like some scam. I wouldn’t give them any of your information. Someone needs to let us know what this is about. And not the ones that sent these letters. For obvious reasons.

  9. dawn - April 30, 2019

    I had the same incident
    I received a letter with my daughter name and our correct address AND another letter with a different persons name with our Address

  10. Tammy F - April 30, 2019

    Do not even bother to phone the number in the letter. They do not know any more than the letter states. I feel they should at least let everyone who was issued this Data Security Incident letter the name of the provider who uses Inmediata. Therefore those who were affected by this BREACH could choose whether to continue to do business with this provider. I find it amazing that this BREACH happens in January and it takes 4 months to notify individuals which were affected by THEIR INCOMPETENCE to keep our records secure. What really ticks me off is they call is and INCONVENIENCE!!!!!!!!!!!!!!!!!!

    • brett - April 30, 2019

      it has nothing to do with the provider. That’s like saying Blue Cross had a breach and so you’re going to quit going to your doctor.

      • Dissent - April 30, 2019

        Well, yes and no, Brett. If a provider has a business associate agreement with a third-party, how are they monitoring the third party to determine whether it’s meeting its obligations for data security consistent with HIPAA’s Security Rule. Accidents/misconfigurations happen, yes, and it doesn’t mean people should flee from their provider, but it’s legitimate to ask what the provider did or will do going forward.

        • brett - May 1, 2019

          Pretty pointless actually. That third party could have met their obligations for security and privacy, but everything is point in time. HIPAA scans are pointless and just another money maker for MY industry–again, point in time. One dumb user/developer and everything goes down the drain.

          Many small providers have agreements with vendors that have agreements with other vendors and they have no clue where the buck stops.

          • Dissent - May 1, 2019

            Ah. I see I’ve found another cyncial soul, a kindred spirit. But HHS/OCR has taken enforcement action when CEs have not monitored or spent enough attention to their third party vendors/associates. And we’ve certainly seen covered entities terminate contracts with BAs or third-party vendors after a breach. I do appreciate what you’re saying, but I see nothing wrong with patients letting their doctors know that they are holding them accountable for decisions that they make about who to outsource to, etc. Of course, when you’re in your doctor’s office and they are part of a big health system, and they don’t get to decide who the third parties are, that’s a whole other kettle of fish…..

          • Brett - May 6, 2019

            Actually, look at the number of cases HHS has actually done anything with–not many at all. The whole HIPAA thing is about as pointless as PCI for people that take credit cards. I know, I work in both sides

          • Dissent - May 6, 2019

            Oh, we agree on the pitiful rate of enforcement actions. But Roger Severino promised that under his leadership, we will see a lot more enforcement. As far as I know, they are investigating at least a few cases I brought to their attention. Wanna hold our breaths together?

  11. Roy Noble - April 30, 2019

    I received 4 letters. One to me, and 3 of people I never heard of. All letters had my address on them. No idea why.

  12. Donna - April 30, 2019

    Also received this letter and have never heard of this company. I have no idea how or why they have my info. I know my Ehr is with a different company so is this a scam or what?

  13. Kathleen Gosling - April 30, 2019

    Hello we called and got no answers either! I asked if they were data providers for my health care provider , got no real answer. We also received two letters one to my husband and one with our address and another unknown persons name. We gave Inmediata the name of wrong addressee. Taking letter back to post office . No satisfaction. Am going to call my Health Care Provider too! So never heard of this company either! Patience is a virtue I guess and shoring up our health info is only answer I can come up with!

  14. Gotcha - April 30, 2019

    I called every single one of my current providers and insurance company. No one heard of this company. I also left a message for my Senator, Tina Smith, She hasn’t called me back either.

  15. Pam - May 1, 2019

    I too have received 3 envelopes at my address with 3 different names. None of the names belong to anyone who has lived in our home. I called the number and was told I would receive a return call in 48 hours. No call. I called back after 48 hours…I was told they will call me back in 3 days.

  16. Elena - May 1, 2019

    I also received a letter with my address and an individual I had never heard of. The next day I received one in my name. I have never even heard of this company. I would appreciate a follow up letter with an explanation.

  17. Just passing by - May 1, 2019

    My parents also received this letter. I did a little investigation and this is what I found from friends who have worked directly or indirectly with this company.

    Inmediata works out of Puerto Rico and North Carolina. Inmediata’s main product line is to serve as a clearinghouse or a “bridge” between your healthcare provider and your healthcare insurance. They also offer other products as a PMS (Practice Management System or Medical Billing Software) and Electronic Health Records. They have multiple business partners, including some hospitals, dental providers. Medical providers and billing companies. They also serve is a primary partner to some medical insurance (APS, Cigna, Delta Dental, FHC, First Medical, Humana, Humana Military, Mapfre, MCS, MMM and some Medicaid. These are mostly for the island of Puerto Rico.
    Therefore, as a patient, you might never know who this company is. Maybe even as a physician you might not know who they are since it depends on the way the medical claims are transmitted to the insurance.
    It is still not clear if the data breach was from their clearinghouse product or their EHR/PMS products or at least no word has been said yet.
    Most of the employees don’t really know what was compromised or what really happened. They are just puppets and say what little they have been told, I actually talked to them this morning. The part that’s weird is all these letters going out with wrong information. Makes me think that the data has been compromised or someone messed up while preparing them.

    Is it a scam? No. Is someone getting in trouble? I bet so. Hope this helps

  18. Fedup - May 1, 2019

    I have also received three letters. Two came to my address, but I do not know the addressees. One was addressed to me by my middle name. I do not have any medical records in my middle name. I think somebody has a real problem.

  19. David - May 2, 2019

    I have called several times to find out what information was potentially released and by whom… The number on the form I was told “was a company named Kroll and just a credit monitoring service”, to get the information I requested, they said they would have to send a request to Inmediata and they would get back to me and that the information was leaked from my provider. They did tell me that I would have to call, Intermediata to get the information.

    When I contact Hank Owens through Linkedin, he told me:

    “Thank you for contacting me. We have the information you requested and will provide it as soon as possible. Just to be clear your medical provider is not involved in the incident. Inmediata is an intermediary between your medical provider and the insurance company.”

    I called my insurance company and they are saying, not their fault, not a vendor of theirs, so they are not responsible…It is the medical provider and Inmediata’s problem and they would not be reporting it?

    Makes me wonder if this has even been reported as as data breach to the government?

    • Dissent - May 2, 2019

      It is not on HHS’s breach tool as of right now, but sometimes they do not post reports they receive promptly and the reports may be posted days or weeks later. Then, too, Inmediata is a business associate/third party and their contract with the covered entities/providers would say whether in the event of a breach, Inmediata would do the reporting or the covered entity will. So it could be that we won’t see Inmediata’s name on the breach list for HHS because the providers report it themselves. We’ll have to wait and see, but you can expect that this one WILL be reported.

  20. AMCT - May 3, 2019

    I only received one letter. I called and asked all the same questions and received the same non-responses. My insurer is apologizing, and in the same sentence telling me that they are researching this. The letter from Inmediata tells me I can contact the Attorney General’s office in Maryland, North Carolina and Rhode Island, I do, nor have I ever lived in any of those states.This is a huge HIPAA violation. I was told by the Inmediata reps at both the toll free number on the letter and the corporate number that I looked up online that someone would call me back in 5-7 days.

  21. Heather - May 3, 2019

    I received a letter today for my son. After reading online the cause of the breach I was confused as to why they had my sons information to begin with. The gentleman I spoke to told me that it wasn’t really a breach, a computer had been left open with people information in it for a few minutes and was left unattended which is a violation so they had to notify everyone. He said their company is used to transmit information from doctors to hospitals and reverse. He then went on to check my sons info and nothing had been breached. “No one has taken out a loan or used his social security number, I can see this. I am 110% positive his information was not breached.” I asked to speak to his supervisor and was told they don’t have one. Then when I asked again he said they don’t have one in this late at night. It was 6pm his time. I still don’t know what this company does…because our doctors and hospitals use a different method of electronic records.

    • Dissent - May 3, 2019

      Did you speak to someone from Inmediata or the company they hired to handle calls and follow-up?
      If your son is a minor, he shouldn’t have a credit report at all. I am a bit puzzled that whoever you spoke to said he could SEE that no one had taken out a loan or used your son’s SSN. Did they run a credit check on your son? And if so, did they need your consent to run it?
      You might want to contact the Michigan Attorney General’s Office and be sure to relay what they said about how they had checked your son’s info and claimed that they knew no one had taken out a loan or used his SSN. Can anyone just check your son’s info that way without your consent or did you somehow consent? I’m not a lawyer and know nothing about Michigan law, but the AG’s office should be able to answer your questions.
      Good luck!

  22. Vicki - May 4, 2019

    I received one letter in my name and one in someone else’s name that has never lived at my address. If you call the number, they just read from a script. I asked for a call-back from the company to explain what health care provider this was and to discuss the duplicate letter issue. No one has reached out to me. Can we all file a class- action suit??

Comments are closed.