Lansing, MI - On Tuesday, October 17, 2023, Michigan Attorney General Dana Nessel announced two settlements involving financial and healthcare technology companies ACI Worldwide and Inmediata. ACI Worldwide is a large-scale payment processing company, Inmediata a healthcare clearinghouse that facilitates financial and clinical transactions between healthcare providers and insurers.
“We must rely on organizations such as these to secure our financial and personal data to a reasonable and robust standard,” said Nessel. “I am happy to join my colleagues in protecting consumers and holding corporations accountable when they violate that trust.”
ACI Worldwide Settlement
Michigan joined a coalition of 48 states, the District of Columbia, and Puerto Rico in announcing a $10 million settlement with payment processor ACI Worldwide over a 2021 testing error that led to the attempted unauthorized withdrawal of $2.3 billion from the accounts of mortgage holders. Michigan will receive $246,258.97 from the settlement. A private class action settlement is providing restitution to persons affected by the testing error. Affected Michigan residents who may wish to submit claim forms must do so by November 13th, and more information on the class action settlement is available here.
ACI Worldwide is a payment processor for Nationstar Mortgage, known publicly as Mr. Cooper. On April 23, 2021, ACI was testing its Speedpay platform. Due to significant defects in ACI’s privacy and data security procedures and its technical infrastructure related to the Speedpay platform, live Mr. Cooper consumer data was entered into the system. This resulted in ACI erroneously attempting to withdraw mortgage payments from hundreds of thousands of Mr. Cooper customers on a day that was not authorized or expected. The error impacted 477,000 customers, some of whom were forced to incur overdraft or insufficient funds fees.
State regulators, including Michigan’s Department of Insurance and Financial Services, have entered into a separate agreement with ACI for an additional $10 million. The regulators’ settlement also orders ACI to take steps to avoid any future incidents, including requiring the company to use artificially created data rather than real consumer data when testing systems or software and to segregate testing or development work from its consumer payment systems.
Along with Michigan, the settlement was joined by the attorneys general of Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, the District of Columbia, and Puerto Rico.
Inmediata Settlement
AG Nessel also announced that Michigan, along with 32 other state attorneys general, has reached a settlement with Inmediata, a healthcare clearinghouse that facilitates transactions between healthcare providers and insurers across the U.S. The settlement is in response to a coding issue that exposed patient information of approximately 1.5 million consumers for almost three years.
On January 15, 2019, the U.S. Department of Health & Human Services Office of Civil Rights alerted Inmediata that personal information maintained by Inmediata was available online and had been indexed by search engines, potentially allowing sensitive patient information to be viewed and downloaded by anyone with an internet connection.
Although Inmediata was alerted to the breach on January 15, 2019, the company delayed notification to impacted consumers for over three months and then sent misaddressed and unclear notices.
The settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security.
Under the settlement, Inmediata has agreed to make a $1.4 million payment to the states. Michigan will receive $217,049 from the settlement. Inmediata has also agreed to overhaul its data security and breach notification practices going forward, including:
- implementation of a comprehensive information security program with specific security requirements, including code review and crawling controls;
- development of an incident response plan with specific policies and procedures regarding consumer notification letters; and
- annual third-party security assessments for five years.
Indiana led the multistate Inmediata investigation, assisted by the Executive Committee consisting of Connecticut, Michigan, and Tennessee, and joined by Alabama, Arizona, Arkansas, Colorado, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Utah, Washington, West Virginia, and Wisconsin.