Oxygen concentrator supplier Inogen recently disclosed in a Securities and Exchange Commission (SEC) filing that it is notifying 30,000 current and former customers that their personal information may have been accessed during a data breach at the company earlier this year.
The data accessed includes “name, address, telephone number, email address, date of birth, date of death, Medicare identification number, insurance policy information and/or type of medical equipment provided,” according to the filing. The breach did not reveal any patient payment information or medical records, according to the company, though it may have revealed some of the company’s non-public financial information.
The breach occurred sometime between Jan. 2 and March 14 and involved unauthorized access to an employee’s email account. Targeting employees to gain access to sensitive data is a common tactic, accounting for 93 percent of data breaches, according to a recent report from Verizon, and email is an even more common entry point, featuring in 96 percent of data breaches.
The company is providing affected customers with credit monitoring and an insurance reimbursement policy, according to a report from Reuters. To prevent further attacks, the company has deployed security updates, required all email users to update their passwords, instituted “enhanced” training for use of electronic tools and has implemented multifactor authentication for users attempting to access their email from remote locations. The company also noted that its own insurance policy may be insufficient to cover all the costs stemming from the breach.
A report in FierceHealthcare notes that Inogen is not covered under HIPPA and so is not required by Health and Human Services to report data breaches and suggests that revelation of the attack may have been the result of new SEC guidance that requires companies to disclose “material cybersecurity risks and incidents in a timely fashion” to investors.
“Whether this would have been an actual SEC filing [previously] seems more questionable,” said Laura Hammargren, a partner at Mayer Brown in Chicago, according to FierceHealthcare. “In a previous life, they may not have reported.”
The company’s stock price, which has generally trended up in 2018, does not appear to have taken a hit, rising from $138.92 on Friday when the breach was disclosed to the public to $139.80 today.