Data Breach Exposes One Medical Customer Email Addresses

July 07, 2021 - Customers of One Medical, a direct paid, membership-based primary care practice, inadvertently had their email addresses shared with fellow customers. 

“We are aware emails were sent to some of our members that exposed recipient email addresses,” read a statement the health provider company published on Twitter on June 30.  “We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will be taking all appropriate actions to prevent this from happening again.”  

The company, which has headquarters in both San Francisco and New York, serves patients in Atlanta, Austin, Boston, Chicago, Los Angeles, New York, Orange County, Phoenix, Portland, San Diego, Seattle, the San Francisco Bay Area, and Washington, D.C.  

One Medical customers shared screen shots of an email they received and detailed their complaints on Twitter on June 30.  

One Twitter user, Bryan Haggerty (@bhaggs) tweeted, “Wow @onemedical just exposed hundreds of patients’ email addresses in this email for customers to verify their email address. I feel for those on the team now having to handle this.”  

Another Twitter user, Teresa Johns (@teresa) tweeted on July 1 that she feels badly for the company. “Not blaming the intern but someone @onemedical sent 900 of us an email asking us to verify our emails but they failed to BCC our email addresses. The reply all jokes are actually hilarious. so far no word from OneMedical.”  

According to their its website, One Medical is a paid, membership-based, primary care service. “Our members enjoy seamless access to comprehensive care at calming offices near where they work, live, and shop in twelve major U.S. markets, as well as 24/7 access to virtual care. In addition to a direct-to-consumer membership model, we work with more than 8,000 companies to provide One Medical health benefits to their employees.”  

Fellow One Medical customer, Jen Granito (@jeng24) took to Twitter on July 1 to share her feelings about the incident.  

“Thanks for responding publicly to the world about the problem before reaching out to those affected. This is definitely a HIPPA [sic] data breach. What is your plan to make this right?”  

“Also that is a pretty horrific apology,” she tweeted to the company. “One medical = We apologize if you feel badly about personal information being exposed VS. Appropriate = We apologize for messing up. We realize you have legit questions and concerns and promise to answer (every one) of them.” 

One Medical refers to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on its website and states that, “We may use your PHI, including your email address or phone number, to contact you. For example, we may also use this information to send you appointment reminders and other communications relating to your care and treatment, or let you know about treatment alternatives or other health related services or benefits that may be of interest to you, via email, phone call, or text message.” 

As of press time today, One Medical has not responded to a request for an interview with Xtelligent Healthcare Media.  

Email addresses are protected under HIPPA as individually identifiable health information, according to the U.S. Department of Helath and Human Services. 

According to the U.S. Department of Health and Human Services, “Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number."