An errant email sent to hundreds of One Medical patients exposed their email addresses. Several One Medical patients took to Twitter on Wednesday night sharing screenshots of the same email that was addressed to more than 900 people. It’s possible that the email was sent in batches to multiple groups of patients, but One Medical did not confirm how many people had been affected.
The message, which ironically began with, “ Hi %recipient.preferred_name%, Keeping your health information safe is a top priority for us…” asked users to verify their email address.
In a brief statement on Twitter, the company apologized and confirmed that the incident was not caused by a security breach. One Medical did not respond to requests for comment about what happened.
Although the emails didn’t include users’ names or health information, it could still qualify as a HIPAA breach, given that email addresses are considered an identifier under the privacy law.
“If patient email addresses are disclosed to unauthorized recipients along with health information — such as the fact that an individual is a patient of a particular provider — it generally constitutes a reportable breach under HIPAA, which means that it will have to be reported to affected individuals and to the state government,” wrote Dianne Bourque, an attorney at Mintz Levin who specializes in privacy.
The company will also have to consider different state regulations to see if it has additional reporting obligations. On top of that, depending on how many people were involved, it’s possible that the federal government would also open an investigation.
“Overlapping state and federal obligations are just one of the things that make data breaches so difficult,” she wrote.
It’s not a good look for One Medical, which faced a controversy earlier this year for letting some users jump the line for vaccines ahead of healthcare workers. But as far as security breaches go, it could have also been much worse. Not everyone’s email addresses include their name, and it doesn’t look like other sensitive information was revealed in the email, Bourque said.
Some One Medical users even found a little bit of humor in the situation.
“I, for one, am thankful. The pandemic has been hard on all of us, and I’m glad that One Medical has forced me to meet 980 new people,” one person replied all in an email signed, “A guy who knows how easy it is to make this mistake.”
Photo credit: Epoxydude, Getty Images