Inogen is a company that manufactures portable oxygen concentrators. An unauthorized person got the login credentials of one Inogen employee and accessed his email account. The personal information of about 30,000 persons that Inogen provided oxygen supply devices before was stored in that compromised email account. The information contained in the email that the attacker possibly viewed included names, addresses, telephone numbers, email addresses, birth dates, dates of death, Medicare ID number, health insurance information and types of equipment provided. There was no medical record, payment card information or Social Security number exposed.
Inogen discovered that the email account was first accessed on January 2, 2018. Access continued until March 14. According to the forensic investigators hired to look into the breach incident, the perpetrator who accessed the account had an IP address that points to a location in a foreign country. It was confirmed that the attacker stole the credentials used to access the email account. But the method of obtaining the credentials was not determined. It is possible that the attackers used a phishing email to get the login credentials. It is also possible that the attacker used other methods like a man-in-the-middle attack.
Because insurance information was included in the compromised information and the attacker may misuse that information, Inogen offered the affected individuals credit monitoring services. They are also covered by an insurance reimbursement policy which will reimburse losses associated with the misuse of insurance information. The policy, however, will not cover expenses caused by the misuse of other information.
Inogen reported the data breach to the Department of Health and Human Services’ Office for Civil Rights to comply with the HIPAA rules. Notification letters were also sent to individuals whose information was compromised. Inogen also sent a data breach summary to relevant state attorneys general.
To avoid the occurrence of similar breaches in the future, Inogen improved the security of its network system by using two-factor authentication. The use of any unfamiliar device to access an account will require a second form of authentication before access is granted. Passwords of all accounts were reset and additional security solutions were employed to detect and block unauthorized access. Employees also received extra training on security awareness.