Share this article on:
Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account.
Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices.
The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised.
Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were hired to determine exactly how the breach occurred, its extent, and the number of patients impacted. The forensics firm confirmed the account was accessed and based on the IP address used to access the account, the perpetrator was located in a foreign country.
While stolen credentials were used in the attack, it is currently unclear exactly how those credentials were obtained. While phishing is a possibility, the credentials could also have been obtained by other means, such as a man-in-the-middle attack.
Since there is potential for insurance information to be misused by the attacker, Inogen has offered credit monitoring services to affected individuals and they will be protected by an insurance reimbursement policy. While that policy will cover losses in the event of insurance information misuse, Inogen has said that the policy may not cover all expenses related to the misuse of information.
Inogen is required to comply with Health Insurance Portability and Accountability Act Rules and has reported to the security breach to the Department of Health and Human Services’ Office for Civil Rights. Affected individuals have been notified by mail and relevant state attorneys general have been sent a data breach summary.
Security has been strengthened following the attack, which includes the use of two-factor authentication. If an unfamiliar device is used to access an account, a second form of authentication will be required before access to the account is granted. Additionally, all passwords have been reset, further electronic tools deployed to prevent unauthorized access, and employee training has been enhanced.