Email Breach at Oxygen Equipment Maker Affects 30,000Inogen Reports Security Incident in Filing with SEC
Unauthorized access to an employee's email account has resulted in a breach affecting 30,000 current and former rental customers of Inogen, a maker and supplier of oxygen equipment, the publicly traded company has disclosed in a filing with the Securities and Exchange Commission.
In addition to customers' personal information, Inogen says the breach may have exposed nonpublic financial information of the Goleta, Calif.-based company.
Inogen's 8-K filing with the SEC on April 13 says that the unauthorized access from outside the company to an employee's emails and attached files appears to have occurred between Jan. 2 and March 14, 2018.
Some of the messages and file attachments may have contained personal information of Inogen equipment rental customers, including name, address, telephone number, email address, date of birth, date of death, Medicare identification number, insurance policy information and type of medical equipment provided.
Inogen is notifying affected individuals and offering them free credit monitoring and an insurance reimbursement policy, the company notes in its filing.
Ali Bauerlein, Inogen's CFO, tells Information Security Media Group that the company is reporting the incident to the U.S. Department of Health and Human Services as a health data breach under HIPAA, and it's also notifying state attorneys generals.
The breach was detected on March 14, she says.
A forensics investigation so far has determined that the attacker gained access to the employee's email through compromising the worker's credentials, Bauerlein says. The IP address of the intruder was based in another country, she says, declining to identify the nation. The company has not yet determined what kind of attack was involved - "whether phishing, man-in-the-middle or something else," she says.
Privacy and security attorney Laura Hammargren of the law firm Mayer Brown, who is not involved in the Inogen case, notes: "What is interesting to me about the breach is that Inogen made this an SEC filing; it begs the question of whether the SEC's recent guidance will prompt more regular disclosure of data incidents."
The SEC says its revised cybersecurity guidance issued in February is aimed at assisting publicly traded companies in preparing disclosures about cybersecurity risks and incidents.
Inogen notes in the SEC filing that it has hired a forensics firm to investigate the incident and to help bolster security of its systems. The company is requiring all email users to change their passwords.
The company has also implemented multifactor authentication for remote email access and has taken additional steps to further limit access to its systems and other preventive measures, including enhanced training and use of electronic tools, the filing notes.
Inogen has insurance coverage in place for certain potential liabilities and costs relating to the incident, but this insurance may not be adequate to protect against all costs, the company notes in the filing. Bauerein says Inogen has not yet determined the potential costs of the breach.
Litigation attorney Patricia "Trish" Carreiro of the law firm Axinn, Veltrop & Harkrider who is not involved with the case, says the Inogen breach illustrates that insurance for cyber incidents and breaches differs from most other kinds of insurance.
"Part of what makes cyber insurance so unique is that there is no uniform 'basic' cyber insurance policy," she says. "Every policy's language is different, and they usually include options for many different coverages. What coverage a client needs depends on what their risks are and what other tools they have in place to protect themselves from those risks. Some of the most important coverage to have is for the costs of your forensic investigation - this is a common coverage."
Other useful coverage, she says, includes business interruption, data breach notification expenses, attorney's fees, public relations professional fees, call center expenses and credit monitoring or identity theft insurance for impacted individuals.
Other medical equipment makers and suppliers should take notice of the Inogen incident, Carreiro says.
"The Inogen data breach is a reminder to makers and suppliers of medical technology and devices that they are not exempt from the threat of data breaches."
"It's easy to think data breaches are other companies' problems," she says. "The Inogen data breach is a reminder to makers and suppliers of medical technology and devices that they are not exempt from the threat of data breaches. Payment card information or medical records aren't the only things whose exposure counts as a data breach."
In fact, the Inogen data security incident is not the first breach involving a supplier of oxygen medical equipment.
Last June, Airway Oxygen, based in Grand Rapids, Mich., reported to HHS a hacking incident potentially impacting 500,000 current and past customers. In that incident, the company said its anti-virus software alerted IT staff that a ransomware attack was in progress against its systems.
The Airway Oxygen incident was the second largest health data breach reported to federal regulators in 2017, according to the HHS HIPAA Breach Reporting Tool website. Also commonly called the "wall of shame," the website lists reports of breaches impacting 500 or more individuals.
In addition, at least one medical technology firm has entered a HIPAA settlement with HHS's Office for Civil Rights as the result of a breach investigation.
Last April, OCR smacked CardioNet, a Malvern, Pa.-based mobile heart-monitoring technology firm, with a $2.5 million HIPAA settlement related to findings from an investigation into a 2012 breach involving a stolen unencrypted laptop computer. The hefty fine reflects regulators also finding that the organization lacked a sufficient risk analysis and risk mitigation.
Medical Device Risks
While the Inogen breach does not appear to involve the company's medical equipment products, experts note that medical devices are increasingly at risk for cyberattack.
For instance, in August 2015, the Food and Drug Administration for the first time, issued a warning urging healthcare organizations to discontinue the use of a family of infusion pumps from manufacturer Hospira due to cybersecurity vulnerabilities that potentially allow unauthorized users to control the device and change the dosage the pump delivers to patients.
More recently, in March, the Department of Homeland Security issued a warning of vulnerabilities involving hardcoded and default credentials in certain medical imaging product lines from GE Healthcare, which may allow a remote attacker to bypass authentication and gain access to the affected devices (see DHS: Some GE Imaging Devices Are Vulnerable).
Healthcare entities and manufacturers must consider the cybersecurity risks to devices, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"It's crucial that medical device manufacturers and healthcare facilities should take steps to assess for information security threats and vulnerabilities associated with their medical devices," he says. "This vulnerability increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices."