Oxygen equipment maker Inogen announced that information on 30,000 customers was hacked as an attacker compromised the credentials of an employee.
In the grand scheme of breaches, this one barely registers. Yes, HIPAA protected information was taken (and Health and Human Services may come after them in say 2021, but it is another example of totally preventable self inflicted wounds.
OK, now that I have sufficiently beaten them up, lets look at what they did wrong.
The company is publicly traded so they need to be SOX compliant. They should have a Board advising them on issues like cybersecurity, but likely not. Totally silent on the issue.
The breach went from January 2 to March 14 – certainly not the longest breach, but certainly not the shortest. I know of an incident recently where a company received indicators of a breach at 6:30 AM one day and had contained and mitigated the breach before 9:00 AM the same day and they are looking to shorten that window. What kind of monitoring and alerting did Inogen have? Over two months for the hacker to do the dastardly deed? Obviously, not good enough.
The stolen emails contained name, address, phone number, email address, date of birth, date of death, Medicare ID number, insurance information and type of equipment. What is that doing in email? That belongs inside a secure application or web portal. Not only is this a HIPAA violation before the breach, it is a privacy breach after the event. The company is based in California, so the Attorney General may be rattling their cage as well.
The worker’s credentials were compromised and then the attacker logged in. From another country. Two factor authentication would have neutered the attack and, failing that, conditional access geo-fencing would have stopped the attacker cold. Where was their CISO? Do they even have one?
One thing they did right – they disclosed the breach in their latest SEC filings. In light of the SEC’s new cybersecurity transparency rules, that is probably a very smart move (to disclose). One less party out to sue them.
In the SEC filing the company said they hired a forensics firm and made users change their passwords. Definitely impressive (not).
They have also turned on two factor authentication. A little late, but better late than never.
Oh, yeah, they have started training. Nice. Would have been nicer years ago.
One challenge is the founders are a few young kids who did not, until this, have many battle scars.
I am guessing they are getting those scars now.
Finally, they say in the SEC filing that they have insurance but it may not cover the costs. Cyber insurance is good, but you better have enough and the right options. Depending on what lawsuits happen and what regulators (such as Cali and HHS) go after them, this could cost them a couple of million or more. Depending on what coverage they have, they could be writing all or part of that check themselves.
As a side note, Airway Oxygen, likely a competitor, told HHS last June that they had a breach affecting 500,000 customers.
Cardionet paid a fine to HHS last year of $2.5 million. That is just the fine and doesn’t cover any other costs. With a fine like that, Inogen’s total costs could be in the $3-$5 million range. If they have a $1 million cyber policy, they will be writing a large check.
Other companies could learn from their lessons. The learning part is free. OR, they can wait until their story is in the news. That can be a tad more expensive!
Information for this post came from Careers Info Security.