Device manufacturer Inogen reports data breach affecting 30K consumers

California-based Inogen reported the breach through an SEC filing months after the regulator issued new guidelines. (tashka2000/Getty)

A company that manufactures portable oxygen devices is notifying 30,000 customers that their information was leaked after an employee email account was hacked in January.

California-based Inogen reported the data breach in a Securities and Exchange Commission (SEC) filing on Friday. According to the company, an employee email account was accessed by an unauthorized user between Jan. 2 and March 14. A forensic firm hired to investigate the breach determined the hacker may have gained access to personal customer information, including Medicare identification numbers, insurance policy information and the type of medical equipment provided. 

The breach did not include medial records or financial information. The company said it has implemented new security updates to prevent future incidents, requiring all email users to change their passwords and implementing multifactor authentication for remote email access.

Founded in 2001, the company makes portable oxygen concentrators "designed to free patients from heavy tanks."

RELATED: SEC’s updated cybersecurity guidance could have implications for healthcare M&A

The notice comes on the heels of updated SEC guidance in which the regulator said it expects companies to inform investors of “material cybersecurity risks and incidents in a timely fashion.” 

The breach was small compared to some of the high-profile incidents in recent years, which raises the question about whether the company would have reported it prior to the SEC’s guidance.

“I hate to speculate on the forthrightness of companies, but it’s definitely a good question,” Laura Hammargren, a partner in the litigation and dispute resolution practice at Mayer Brown in Chicago told FierceHealthcare. “It does seem to be relatively contained and it seems like it could’ve been a lot worse.”

“Whether this would have been an actual SEC filing [previously] seems more questionable,” she added. “In a previous life, they may not have reported.”

RELATED: FDA announces firmware update to resolve cybersecurity vulnerabilities in Abbott pacemakers

Notably, Inogen is not considered a covered entity under HIPAA so it is not required to report data breaches to the Department of Health and Human Services.

Medical device cybersecurity has emerged as a pointed concern for industry groups and lawmakers alike who worry that legacy systems are susceptible to hackers which could have a devastating impact on patient care. The Inogen breach appears fairly mild compared to more sinister possible scenarios in which hackers take control of a medical device.

However, the breach does underscore the fact that health data are collected and stored across a broad range of companies, not just hospitals and insurers. 

“It does start to sink in a little more that a lot of health data is out there and we don’t really know if everyone has robust security practices,” Hammargren said.