HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account.

Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices.

The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised.

Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were hired to determine exactly how the breach occurred, its extent, and the number of patients impacted. The forensics firm confirmed the account was accessed and based on the IP address used to access the account, the perpetrator was located in a foreign country.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

While stolen credentials were used in the attack, it is currently unclear exactly how those credentials were obtained. While phishing is a possibility, the credentials could also have been obtained by other means, such as a man-in-the-middle attack.

Since there is potential for insurance information to be misused by the attacker, Inogen has offered credit monitoring services to affected individuals and they will be protected by an insurance reimbursement policy. While that policy will cover losses in the event of insurance information misuse, Inogen has said that the policy may not cover all expenses related to the misuse of information.

Inogen is required to comply with Health Insurance Portability and Accountability Act Rules and has reported to the security breach to the Department of Health and Human Services’ Office for Civil Rights. Affected individuals have been notified by mail and relevant state attorneys general have been sent a data breach summary.

Security has been strengthened following the attack, which includes the use of two-factor authentication. If an unfamiliar device is used to access an account, a second form of authentication will be required before access to the account is granted. Additionally, all passwords have been reset, further electronic tools deployed to prevent unauthorized access, and employee training has been enhanced.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.