Device manufacturer Inogen reports data breach affecting 30K consumers

California-based Inogen reported the breach through an SEC filing months after the regulator issued new guidelines. (tashka2000/Getty)

A company that manufactures portable oxygen devices is notifying 30,000 customers that their information was leaked after an employee email account was hacked in January.

California-based Inogen reported the data breach in a Securities and Exchange Commission (SEC) filing on Friday. According to the company, an employee email account was accessed by an unauthorized user between Jan. 2 and March 14. A forensic firm hired to investigate the breach determined the hacker may have gained access to personal customer information, including Medicare identification numbers, insurance policy information and the type of medical equipment provided. 

The breach did not include medial records or financial information. The company said it has implemented new security updates to prevent future incidents, requiring all email users to change their passwords and implementing multifactor authentication for remote email access.

Product Spotlight

Top-Rated Mobile App for Health Insurance Members

Zipari’s Mobile App is the smarter, easier, and better way for payers to engage members on the go and directly in the palm of their hands. Members can find the right doctors, receive notifications, send messages, view claims, track spending, talk to a nurse, download ID card, and more. It’s ready to install and launch in a few months.

Founded in 2001, the company makes portable oxygen concentrators "designed to free patients from heavy tanks."

RELATED: SEC’s updated cybersecurity guidance could have implications for healthcare M&A

The notice comes on the heels of updated SEC guidance in which the regulator said it expects companies to inform investors of “material cybersecurity risks and incidents in a timely fashion.” 

The breach was small compared to some of the high-profile incidents in recent years, which raises the question about whether the company would have reported it prior to the SEC’s guidance.

“I hate to speculate on the forthrightness of companies, but it’s definitely a good question,” Laura Hammargren, a partner in the litigation and dispute resolution practice at Mayer Brown in Chicago told FierceHealthcare. “It does seem to be relatively contained and it seems like it could’ve been a lot worse.”

“Whether this would have been an actual SEC filing [previously] seems more questionable,” she added. “In a previous life, they may not have reported.”

RELATED: FDA announces firmware update to resolve cybersecurity vulnerabilities in Abbott pacemakers

Notably, Inogen is not considered a covered entity under HIPAA so it is not required to report data breaches to the Department of Health and Human Services.

Medical device cybersecurity has emerged as a pointed concern for industry groups and lawmakers alike who worry that legacy systems are susceptible to hackers which could have a devastating impact on patient care. The Inogen breach appears fairly mild compared to more sinister possible scenarios in which hackers take control of a medical device.

However, the breach does underscore the fact that health data are collected and stored across a broad range of companies, not just hospitals and insurers. 

“It does start to sink in a little more that a lot of health data is out there and we don’t really know if everyone has robust security practices,” Hammargren said.

Suggested Articles

Employers are making adjustments to their health benefits in the wake of COVID-19, but workers may not take the time to consider these new options.

Harvard research shows minorities are most likely to report inadequate PPE and to work with COVID-positive patients.

Oak Street Health officially went pubilc on Thursday with a $328 million initial public offering.