[BreachExchange] Email Breach at Oxygen Equipment Maker Affects 30, 000

[Inga Goddijn]

https://www.careersinfosecurity.com/email-breach-at-oxygen-equipment-maker-affects-30000-a-10804

Unauthorized access to an employee's email account has resulted in a breach
affecting 30,000 current and former rental customers of Inogen, a maker and
supplier of oxygen equipment, the publicly traded company has disclosed in
a filing with the Securities and Exchange Commission.

*See Also:* How to Scale Your Vendor Risk Management Program
<https://www.careersinfosecurity.com/webinars/how-to-scale-your-vendor-risk-management-program-w-1326?rf=promotional_webinar>

In addition to customers' personal information, Inogen says the breach may
have exposed nonpublic financial information of the Goleta, Calif.-based
company.

Inogen's 8-K filing
<https://www.sec.gov/Archives/edgar/data/1294133/000156459018008092/ingn-8k_20180413.htm>
 with the SEC on April 13 says that the unauthorized access from outside
the company to an employee's emails and attached files appears to have
occurred between Jan. 2 and March 14, 2018.

Some of the messages and file attachments may have contained personal
information of Inogen equipment rental customers, including name, address,
telephone number, email address, date of birth, date of death, Medicare
identification number, insurance policy information and type of medical
equipment provided.

Inogen is notifying affected individuals and offering them free credit
monitoring and an insurance reimbursement policy, the company notes in its
filing.
Breach Notification

Ali Bauerlein, Inogen's CFO, tells Information Security Media Group that
the company is reporting the incident to the U.S. Department of Health and
Human Services as a health data breach under HIPAA
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>, and it's also
notifying state attorneys generals.

The breach <http://www.healthcareinfosecurity.com/breach-response-c-324> was
detected on March 14, she says.

A forensics investigation so far has determined that the attacker gained
access to the employee's email through compromising the worker's
credentials, Bauerlein says. The IP address of the intruder was based in
another country, she says, declining to identify the nation. The company
has not yet determined what kind of attack was involved - "whether
phishing, man-in-the-middle or something else," she says.

Privacy and security attorney Laura Hammargren of the law firm Mayer Brown,
who is not involved in the Inogen case, notes: "What is interesting to me
about the breach is that Inogen made this an SEC filing; it begs the
question of whether the SEC's recent guidance will prompt more regular
disclosure of data incidents."

The SEC says its revised cybersecurity guidance
<https://www.databreachtoday.com/sec-releases-updated-cybersecurity-guidance-a-10678>
 issued in February is aimed at assisting publicly traded companies in
preparing disclosures about cybersecurity risks and incidents.
Taking Action

Inogen notes in the SEC filing that it has hired a forensics firm to
investigate the incident and to help bolster security of its systems. The
company is requiring all email users to change their passwords.

The company has also implemented multifactor authentication
<http://www.healthcareinfosecurity.com/authentication-c-206> for remote
email access and has taken additional steps to further limit access to its
systems and other preventive measures, including enhanced training
<http://www.healthcareinfosecurity.com/awareness-training-c-27> and use of
electronic tools, the filing notes.
Insurance Coverage

Inogen has insurance coverage in place for certain potential liabilities
and costs relating to the incident, but this insurance may not be adequate
to protect against all costs, the company notes in the filing. Bauerein
says Inogen has not yet determined the potential costs of the breach.

Litigation attorney Patricia "Trish" Carreiro
<https://www.healthcareinfosecurity.com/interviews/what-comes-next-in-carefirst-data-breach-case-i-3894>
 of the law firm Axinn, Veltrop & Harkrider who is not involved with the
case, says the Inogen breach illustrates that insurance for cyber incidents
and breaches differs from most other kinds of insurance.

"Part of what makes cyber insurance so unique is that there is no uniform
'basic' cyber insurance policy," she says. "Every policy's language is
different, and they usually include options for many different coverages.
What coverage a client needs depends on what their risks are and what other
tools they have in place to protect themselves from those risks. Some of
the most important coverage to have is for the costs of your forensic
investigation - this is a common coverage."

Other useful coverage, she says, includes business interruption, data
breach notification expenses, attorney's fees, public relations
professional fees, call center expenses and credit monitoring or identity
theft insurance for impacted individuals.
Other Incidents

Other medical equipment makers and suppliers should take notice of the
Inogen incident, Carreiro says.

"The Inogen data breach is a reminder to makers and suppliers of medical
technology and devices that they are not exempt from the threat of data
breaches."

"It's easy to think data breaches are other companies' problems," she says.
"The Inogen data breach is a reminder to makers and suppliers of medical
technology and devices that they are not exempt from the threat of data
breaches. Payment card information or medical records aren't the only
things whose exposure counts as a data breach."

In fact, the Inogen data security incident is not the first breach
involving a supplier of oxygen medical equipment.

Last June, Airway Oxygen
<https://www.healthcareinfosecurity.com/ransomware-attack-affects-500000-patients-a-10057>,
based in Grand Rapids, Mich., reported to HHS a hacking incident
potentially impacting 500,000 current and past customers. In that incident,
the company said its anti-virus software alerted IT staff that a ransomware
<https://ransomware.databreachtoday.com/> attack was in progress against
its systems.

The Airway Oxygen incident was the second largest health data breach
reported to federal regulators in 2017, according to the HHS HIPAA Breach
Reporting Tool website. Also commonly called the "wall of shame,"
<https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf> the website lists
reports of breaches impacting 500 or more individuals.

In addition, at least one medical technology firm has entered a HIPAA
settlement with HHS's Office for Civil Rights as the result of a breach
investigation.

Last April, OCR smacked CardioNet
<https://www.healthcareinfosecurity.com/hhs-smacks-heart-monitoring-firm-25-million-settlement-a-9863>,
a Malvern, Pa.-based mobile heart-monitoring technology firm, with a $2.5
million HIPAA settlement related to findings from an investigation into a
2012 breach involving a stolen unencrypted
<http://www.healthcareinfosecurity.com/encryption-c-209> laptop computer.
The hefty fine reflects regulators also finding that the organization
lacked a sufficient risk analysis and risk mitigation.
Medical Device Risks

While the Inogen breach does not appear to involve the company's medical
equipment products, experts note that medical devices
<http://www.healthcareinfosecurity.com/mobility-c-212> are increasingly at
risk for cyberattack.

For instance, in August 2015, the Food and Drug Administration for the
first time, issued a warning urging healthcare organizations to discontinue
the use of a family of infusion pumps from manufacturer Hospira
<https://www.healthcareinfosecurity.com/fda-discontinue-use-flawed-infusion-pumps-a-8449>
 due to cybersecurity vulnerabilities that potentially allow unauthorized
users to control the device and change the dosage the pump delivers to
patients.

More recently, in March, the Department of Homeland Security issued a
warning of vulnerabilities involving hardcoded and default credentials in
certain medical imaging product lines from GE Healthcare, which may allow a
remote attacker to bypass authentication and gain access to the affected
devices (see *DHS: Some GE Imaging Devices Are Vulnerable*
<https://www.healthcareinfosecurity.com/dhs-some-ge-imaging-devices-are-vulnerable-a-10727>
).

Healthcare entities and manufacturers must consider the cybersecurity risks
to devices, says privacy attorney David Holtzman, vice president of
compliance at security consultancy CynergisTek.

"It's crucial that medical device manufacturers and healthcare facilities
should take steps to assess for information security threats and
vulnerabilities associated with their medical devices," he says. "This
vulnerability increases as medical devices are increasingly connected to
the internet, hospital networks and to other medical devices."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180415/bc8202b6/attachment.html>