An errant email sent to hundreds of One Medical patients exposed their email addresses. Several One Medical patients took to Twitter on Wednesday night sharing screenshots of the same email that was addressed to more than 900 people. It’s possible that the email was sent in batches to multiple groups of patients, but One Medical did not confirm how many people had been affected.
The message, which ironically began with, “ Hi %recipient.preferred_name%, Keeping your health information safe is a top priority for us…” asked users to verify their email address.
![](https://medcitynews.com/wp-content/uploads/sites/7/2024/06/ALERTS-LI-DA-1280x860-1-360x200.png)
Physician Targeting Using Real-time Data: How PurpleLab’s Alerts Can Help
By leveraging real-time data that offers unprecedented insights into physician behavior and patient outcomes, companies can gain a competitive advantage with prescribers. PurpleLab®, a healthcare analytics platform with one of the largest medical and pharmaceutical claims databases in the United States, recently announced the launch of Alerts which translates complex information into actionable insights, empowering companies to identify the right physicians to target, determine the most effective marketing strategies and ultimately improve patient care.
![](https://medcitynews.com/wp-content/uploads/sites/7/2021/07/One-medical-verify-email-300x512.jpg)
One Medical sent an email to hundreds of users exposing their email addresses. Screenshot from Twitter
In a brief statement on Twitter, the company apologized and confirmed that the incident was not caused by a security breach. One Medical did not respond to requests for comment about what happened.
Although the emails didn’t include users’ names or health information, it could still qualify as a HIPAA breach, given that email addresses are considered an identifier under the privacy law.
“If patient email addresses are disclosed to unauthorized recipients along with health information — such as the fact that an individual is a patient of a particular provider — it generally constitutes a reportable breach under HIPAA, which means that it will have to be reported to affected individuals and to the state government,” wrote Dianne Bourque, an attorney at Mintz Levin who specializes in privacy.
![](https://medcitynews.com/wp-content/uploads/sites/7/2024/04/GettyImages-1321051371-360x200.jpg)
What’s Keeping Healthcare CIOs Up at Night: How Health Systems Automate Routine Phone Calls to Improve Workforce Effectiveness and Reduce Agent Burnout
With hospitals struggling to retain staff and value-based care shrinking healthcare revenues, health systems must look to technology resources to become more efficient, without losing sight of patient care or staff support.
The company will also have to consider different state regulations to see if it has additional reporting obligations. On top of that, depending on how many people were involved, it’s possible that the federal government would also open an investigation.
“Overlapping state and federal obligations are just one of the things that make data breaches so difficult,” she wrote.
It’s not a good look for One Medical, which faced a controversy earlier this year for letting some users jump the line for vaccines ahead of healthcare workers. But as far as security breaches go, it could have also been much worse. Not everyone’s email addresses include their name, and it doesn’t look like other sensitive information was revealed in the email, Bourque said.
Some One Medical users even found a little bit of humor in the situation.
“I, for one, am thankful. The pandemic has been hard on all of us, and I’m glad that One Medical has forced me to meet 980 new people,” one person replied all in an email signed, “A guy who knows how easy it is to make this mistake.”
Photo credit: Epoxydude, Getty Images