Email

Michigan Joins Settlements to Resolve Data Security Errors with ACI Worldwide and Inmediata

Michigan Department of Attorney General
From Michigan Department of Attorney General <[email protected]>
Subject Michigan Joins Settlements to Resolve Data Security Errors with ACI Worldwide and Inmediata
Date October 17, 2023 8:16 PM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
Nessel Email Header




*FOR IMMEDIATE RELEASE:*

October 17, 2023




*Media Contact:
*Danny Wimmer <[email protected]>






Michigan Joins Settlements to Resolve Data Security Errors with ACI Worldwide and Inmediata





*LANSING* – Michigan Attorney General Dana Nessel announced two settlements today involving financial and healthcare technology companies ACI Worldwide and Inmediata. ACI Worldwide is a large-scale payment processing company, Inmediata a healthcare clearinghouse that facilitates financial and clinical transactions between healthcare providers and insurers.   

“We must rely on organizations such as these to secure our financial and personal data to a reasonable and robust standard,” said Nessel. “I am happy to join my colleagues in protecting consumers and holding corporations accountable when they violate that trust.” 

*ACI Worldwide Settlement* 

Michigan joined a coalition of 48 states, the District of Columbia, and Puerto Rico in announcing a $10 million settlement with payment processor ACI Worldwide over a 2021 testing error that led to the attempted unauthorized withdrawal of $2.3 billion from the accounts of mortgage holders. Michigan will receive $246,258.97 from the settlement. A private class action settlement is providing restitution to persons affected by the testing error. Affected Michigan residents who may wish to submit claim forms must do so by November 13th, and more information on the class action settlement is available here [ [link removed] ]. 

ACI Worldwide is a payment processor for Nationstar Mortgage, known publicly as Mr. Cooper. On April 23, 2021, ACI was testing its Speedpay platform. Due to significant defects in ACI’s privacy and data security procedures and its technical infrastructure related to the Speedpay platform, live Mr. Cooper consumer data was entered into the system. This resulted in ACI erroneously attempting to withdraw mortgage payments from hundreds of thousands of Mr. Cooper customers on a day that was not authorized or expected. The error impacted 477,000 customers, some of whom were forced to incur overdraft or insufficient funds fees. 

State regulators, including Michigan’s Department of Insurance and Financial Services, have entered into a separate agreement with ACI for an additional $10 million. The regulators’ settlement also orders ACI to take steps to avoid any future incidents, including requiring the company to use artificially created data rather than real consumer data when testing systems or software and to segregate testing or development work from its consumer payment systems. 

Along with Michigan, the settlement was joined by the attorneys general of Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, the District of Columbia, and Puerto Rico.  

*Inmediata Settlement* 

AG Nessel also announced that Michigan, along with 32 other state attorneys general, has reached a settlement with Inmediata, a healthcare clearinghouse that facilitates transactions between healthcare providers and insurers across the U.S. The settlement is in response to a coding issue that exposed patient information of approximately 1.5 million consumers for almost three years.  

On January 15, 2019, the U.S. Department of Health & Human Services Office of Civil Rights alerted Inmediata that personal information maintained by Inmediata was available online and had been indexed by search engines, potentially allowing sensitive patient information to be viewed and downloaded by anyone with an internet connection.  

Although Inmediata was alerted to the breach on January 15, 2019, the company delayed notification to impacted consumers for over three months and then sent misaddressed and unclear notices.  

The settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security. 

Under the settlement, Inmediata has agreed to make a $1.4 million payment to the states. Michigan will receive $217,049 from the settlement. Inmediata has also agreed to overhaul its data security and breach notification practices going forward, including: 


* implementation of a comprehensive information security program with specific security requirements, including code review and crawling controls; 
* development of an incident response plan with specific policies and procedures regarding consumer notification letters; and 
* annual third-party security assessments for five years. 

Indiana led the multistate Inmediata investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.

###






AG logo [ [link removed] ]





*Media Inquiries* <[email protected]>




*Latest Releases* [ [link removed] ]




*File a Complaint* [ [link removed] ]







________________________________________________________________________

Michigan Department of the Attorney General [ [link removed] ]   Questions?
  Contact Us [ [link removed] ]

STAY CONNECTED: Visit us on Twitter [ [link removed] ] Instagram logo [ [link removed] ] Visit us on Facebook [ [link removed] ] YouTube [ [link removed] ] Sign up for email updates [ [link removed] ]      

Bookmark and Share [ [link removed] ]

SUBSCRIBER SERVICES:
Manage Preferences [ [link removed] ]  | Help [ [link removed] ]

________________________________________________________________________

This email was sent to [email protected] using GovDelivery Communications Cloud on behalf of: Michigan Attorney General · G. Mennen Williams Building, 7th Floor · 525 W. Ottawa St., P.O. Box 30212 · Lansing, MI 48909 · 517-373-1100
Screenshot of the email generated on import

Message Analysis

The Archive of Political Emails is a project of Defending Democracy Together Institute. Please email [email protected] with any questions.