When Dave Krelic started receiving letters at his St. Paul home saying his family’s personal medical information may have been disclosed online, he started calling around town to find out who had lost control of his data.

But none of his family’s doctors or insurers would acknowledge ever working with Inmediata Corp., the Puerto Rican data-handling company that sent him the vague letters. Krelic was mystified as to how a firm he had never heard of had obtained his data in the first place.

More than 1.3 million Americans have received the same letters, Inmediata CEO Mark Rieger disclosed in an e-mail to the Star Tribune on Friday. They include Minnesotans who received Inmediata’s data-security warning in late April warning that their names, dates of birth, doctors’ names, medical-diagnosis codes, treatment information and, in some cases, Social Security numbers were exposed online. Beth Rozga of St. Paul said her efforts to investigate the letter she received about her family’s data have been futile. 

“It’s unsettling,” Rozga said. “We’re all scrutinizing Facebook and what they’re doing with our data … and yet when someone’s got my medical information, it’s impossible to figure out who they are, why they have it.”

Attorney General Keith Ellison’s office told the Star Tribune his office is investigating the issue and wants to hear from the public. “I encourage everyone who has heard from Inmediata about this to contact my office. The more we hear from consumers, the more it will help us in getting to the bottom of it,” Ellison said in an e-mail. The phone numbers are 651-296-3353 (Twin Cities) or 1-800-657-3787.

Meanwhile, the attorney general in Michigan is separately investigating why the company apparently sent some of its data-security warnings to the wrong addresses in that state.

“We regret any concern and inconvenience this may have caused those who received a notification letter from us,” Inmediata’s Rieger said via e-mail Friday. “Our priority was to provide notice to those who were affected by this issue as quickly as possible.”

The letter to patients said there’s no evidence that the personal information exposed online was copied or saved after it was disclosed, and there’s no sign the data were misused. It blamed the exposure on a misconfigured setting on an internal Inmediata website that it said allowed search engines in January to see and index pages that contained “member patients’ ” electronic health data. Inmediata said it deactivated the website and hired a computer forensics firm once the incident was discovered.

Rieger confirmed in an e-mail Friday that letters are being sent to 1.38 million people, putting the incident among the top three of the 450 such breaches under investigation by the federal Health and Human Services’ Office of Civil Rights (OCR) in the past two years. The OCR declined to comment on why the incident is not yet listed online.

Breaches of personal information about consumers are increasingly common in many industries, including health care, with the proliferation of vast databases that are supposed to be protected behind digital firewalls. Sometimes these databases can be misconfigured to allow unauthorized access, as apparently happened with Inmediata, while other times the data are targeted in a cyberattack.

Earlier this year, a two-doctor practice in Michigan permanently closed after a ransomware attack obliterated the practice’s patient records, becoming the first health care provider in the U.S. to close because of a ransomware attack. In Minnesota, more than 100,000 people have been affected by breaches under investigation by the OCR since May 2017, including a breach last year at the Minnesota Department of Human Services that exposed the information of more than 10,000 people who use state health and welfare programs.

In most of the Minnesota cases, the entities sending out the breach letters are recognizable because they are either health care providers or public agencies.

Few patients have heard of Inmediata, which was formerly known as Secure EDI. But the company has access to patients’ health information because it is a cog in the vast electronic system used to pay medical bills and track patients in the United States.

Among its various business lines, Inmediata acts as a data “clearinghouse” for health care providers and insurance companies. That means the company electronically transmits claims from health care providers to insurers, and then sends payment verifications back to the provider. Intermediaries like Inmediata typically get permission to handle health records when patients sign forms at their health care providers’ offices for the federal health care privacy law commonly referred to as HIPAA.

The Inmediata letters reveal none of this information, nor do they say which health care providers’ patient data were affected.

Krelic, a former fraud investigator, said he spent hours communicating with his current health insurer, UnitedHealthcare, as well as his past insurer, HealthPartners, trying to find out what information was exposed and whether it’s significant enough to take precautionary steps. Krelic also reached out to his family’s health care providers. None said they worked with Inmediata. (UnitedHealthcare and HealthPartners both told the Star Tribune they do not have vendor relationships with Inmediata.)

On Friday, three weeks after he called Inmediata’s incident hotline, Krelic said he received an e-mail from Inmediata stating that records involving a 2012 visit to a dental provider were involved in the breach.

“Your health plan at the time of this visit required this provider to use certain intermediaries to submit the claim for payment,” the e-mail said. “Inmediata is one of those intermediaries.”

Krelic said he remains concerned by the response. “My insurance company and provider have not taken responsibility or notified me that there was a data breach and my personal information was exposed,” Krelic said via e-mail. “Bottom line: I gave the data/authorization to [a health care provider] for them to process it through my insurance company, and not to Inmediata. They are responsible for ensuring that HIPAA regulations and the security of my personal information is met.”