Inogen today announced it was the victim of a data breach in which employee email messages containing sensitive customer information were accessed from an external agent without authorization.
The Goleta, Calif.-based company said that messages were accessed externally between January 2 and March 14 this year, and contained attached files that “may have contained personal information belonging to Inogen rental customers,” as well as non-public financial information of the company.
Inogen said that it immediately took steps to secure its customer information, including hiring a forensics firm to investigate the intrusion and improve its security.
The forensics group determined that compromised rental customer personal information included names, addresses, telephone numbers, email addresses, dates of birth, dates of death, Medicare ID numbers, insurance policy information and specific medical equipment info, according to an SEC filing. Payment card information and medical records were not impacted, Inogen said.
Inogen said it is taking steps to notify approximately 30,000 current and former customers of the breach and that it plans to provide resources, including credit monitoring and insurance reimbursement to assist in correcting the breach. The company said it has also notified the appropriate regulatory bodies of the breach.
The company said it has forced updates on internal passwords following the incident, and that it has implemented multi-factor authentication for remote email access and has taken steps to limit access to its systems, according to an SEC filing.
The breach was deemed “manageable” by Leerink Partner analyst Danielle Antalffy, as it only affected rental customers which make up less than 10% of the company’s total revenue and did not contain credit card or financial information.
“While INGN may incur some incremental expense tied to fees to the forensics firm and outside counsel, other costs to provide assistance to customers to mitigate the risk, and incremental expenses to upgrade their information security system, we believe these should be largely immaterial. And most importantly, we expect no impact to sales tied to this breach. To us, the biggest risk is around whether this results in any lawsuits, for which they do have liability coverage, but the amount of possible damage is unpredictable,” Antalffy wrote in a letter to investors.