Inmediata Health Group, a clearinghouse based in Puerto Rico, on May 7 notified the Office for Civil Rights that personal and medical data on nearly 1.6 million of its customers' patients had been visible online, the largest data breach reported to the office this year. The disclosure was the result of a misconfigured setting that had permitted search engines to index internal company webpages, according to a notice the company posted online.
Inmediata has not determined when the inadvertent disclosure began, according to Mark Rieger, the company's president and CEO.
Inmediata said it deactivated the website upon becoming aware of the incident in January and is working with an independent computer forensics firm to assist with an ongoing investigation. Inmediata said it has no evidence that any files were copied or saved from the webpage based on the investigation's findings to date.
"Our priority was to provide notice to those who were affected by this issue as quickly as possible," Rieger said in an emailed statement. "Though the data involved is almost exclusively very basic data that poses minimal risk, we wanted to be sure to let the individuals know because it was the right thing to do."
The data breach may have exposed patients' names, addresses, dates of birth, gender and medical claim information, as well as Social Security numbers for a "very small group" of individuals, according to Inmediata's online notice.
Data breaches resulting from unauthorized access and disclosure, such as the breach at Inmediata, accounted for 45% of the data breaches reported in May. Hacking and IT incidents, which have dominated healthcare breaches in recent months, accounted for 47% of the data breaches reported last month.
The remaining three data breaches resulted from theft of paper records, computers and other devices.