Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account.
Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the personal information of approximately 30,000 people who had previously been supplied with oxygen supply devices.
The range of information possibly viewed and obtained by the hacker include name, telephone number, address, email address, date of birth, date of death, sorts of equipment provided, Medicare ID number and health insurance details. Medical histories, Social Security numbers, and payment card details were not accessed.
Also notable is the duration of time it took to identify the breach. Inogen reports that access to the email account was first obtained on January 2, 2018 and went on until March 14. Forensic investigators were contracted to determine exactly how the breach happened, its extent, and the number of patients affected. The forensics firm stated the account was accessed and based on the IP address that accessed the account, the perpetrator was located in a foreign country.
While stolen details were used in the attack, it is still unclear exactly how those credentials were downloaded. While phishing is a possibility, the credentials could also have been taken by other means, such as a man-in-the-middle hack.
Since it is possible that insurance information to be misused by the hacker, Inogen has offered credit monitoring services to impacted individuals and they will be safeguarded by an insurance reimbursement policy. While that policy will recuperate losses in the event of insurance information misuse, Inogen has commented that the policy may not include expenses related to the misuse of data.
Inogen must comply with Health Insurance Portability and Accountability Act Rules and has made the security breach known to the Department of Health and Human Services’ Office for Civil Rights (OCR). Affected people have been alerted by mail and relevant state attorneys general have been issued a data breach summary.
Security has been enhanced in the aftermath of the attack, which includes the use of two-factor authentication. If an unfamiliar device is used to log onto an account, a second form of authentication will be necessary before access to the account is given. In addition to this, all passwords have been amended, additional electronic tools deployed to eliminate unauthorized access, and employee training has been strengthened.