One Medical: Sorry-not-Sorry for Leaking your Personal Info

Primary care med-tech firm One Medical made an intern-level error this week. It sent email with hundreds of other customer email addresses visible in the To: field.

Despite claiming it wasn’t “a security breach,” it’s clearly a HIPAA violation. And it was, of course, swiftly followed by a hilarious reply-all storm.

One Medical also said “We apologize if,” which is never a good look. In today’s SB Blogwatch, we’re unapologetically scathing.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: EZ e-bike hack.


What’s the craic, Zack? Mister Whittaker reports—“One Medical exposed hundreds of customers’ email addresses”:

Security lapses
One Medical did not use the blind carbon copy (bcc:) field to mass email its customers, which would have hidden their email addresses from each other. … The email sent out by … the San Francisco-based [firm] had more than 980 email addresses.

We asked One Medical how many customers had their email addresses exposed and if the company plans to report the incident to state governments, as may be required under state data breach notification laws, but we did not immediately hear back. … On the scale of security lapses, this one is fairly low down on the impact scale — compared to a breach of passwords, or financial and health data. But the exposure of email addresses can still be used to identify customers of the company.

And Elise Reuter keeps it in the family—“Oops: Hundreds of One Medical patients’ emails exposed”:

Several One Medical patients took to Twitter on Wednesday night sharing screenshots of the same email that was addressed to more than 900 people. … Ironically [it] began with,
“Hi %recipient.preferred_name%, Keeping your health information safe is a top priority for us.”

It could still qualify as a HIPAA breach, given that email addresses are considered an identifier under the privacy law. … The company will also have to consider different state regulations to see if it has additional reporting obligations. … It’s possible that the federal government would also open an investigation.

One Medical … faced a controversy earlier this year for letting some users jump the line for vaccines ahead of healthcare workers. But as far as security breaches go, it could have … been much worse.

Part of good regulatory compliance is having good policies in place. Here’s GoTeam:

Less talented
I bet they’re having tons of fun right now creating a bunch of new policies and procedures. May even have to create a new “communications UI” for their “less talented” employees.

And what always happens when bulk sender doesn’t blind the recipients? A reply-all storm! @johnboiles obliges:

We love you
Oh man, One Medical just accidentally included 981 people in the TO field of an email. Of course I am going to reply all.

Gmail limits recipients to 500 people. Am I going to go through the trouble to reduce the list from 981 people? Absolutely:

Dear One Medical,
I’m very glad to hear that keeping my health information safe is a top priority for you. But sending my email address to hundreds of random people … does not inspire confidence in your ability to do so.
Sincerely, %recipient.preferred_name%

If you are the engineer that made this mistake: Know that we love you and we’ve all been there and a failure like this is not just your fault, but all the other engineers who failed to put in proper controls in place. And also I love goofy reply-all emails and this made my day.

But how does this happen in the 21st century? That’s the question asked by jacks smirking reven [sic]:

Email services
It’s 2021. Are they sending these out by hand from somebody’s Outlook? The world is awash in marketing email services that handle all this for you.

What if there were a lot more than 980? Jake Cole believes there were:

Different set
I don’t believe this was limited to just “hundreds of customers”. My wife and I each received an email blast like this with a different set of 1,000 email addresses. The email likely went out multiple times.

What a mess. Something should be done. But edi_guy reckons this ship has sailed:

Personal data rights
Not only has this ship already sailed, it hit a reef and sank. … I have multiple email addresses—one for spammy stuff, commercial businesses, free signups, etc. and one for personal (actual human beings). Awhile ago I just entered my spammy email address into Google, and yep not only did it link to my home address, but also to my ‘personal’ email as well.

So CC’ing a few hundred people is giggle funny for a news headline, meanwhile we’ve been totally screwed over: … Commercial data aggregators have pwn3d us for years.

I think we know the direction personal data rights is going. This is only going to get more and more vital to everyday life.

What does One Medical have to say for itself? Frankly, its content-free, sorry-not-sorry response doesn’t earn a place here. But you can click this link to the reply from Jen Granito—@jeng24—to see it:

We apologize if …
That is a pretty horrific apology. [You basically said] “We apologize if you feel badly about personal information being exposed.”

Thanks for responding publicly to the world about the problem before reaching out to those affected. This is definitely a HIPPA data breach. What is your plan to make this right?

Meanwhile, take heed of the memories of ol’ EvilSS:

Back in the day, some ***hole would print up everyone’s names, addresses and phone numbers. And drop it off on the front porch of every house in town!

And Finally:

Marcus “malwaretech” Hutchins proves he really is a hacker
(But sometimes, a “hack” doesn’t involve software.)

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Nick Fewings (via Unsplash)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Sponsorships Available Unlike ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 432 posts and counting.See all posts by richi