Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Privacy

An Email Sent by One Medical Exposed Hundreds of Customers' Email Addresses (techcrunch.com) 24

Posted by msmash from the privacy-woes dept.
Primary care company One Medical has apologized after it sent out an email that exposed hundreds of customers' email addresses. From a report: The email sent out by One Medical on Wednesday asked to "verify your email," but one email seen by TechCrunch had more than 980 email addresses copied on the email. The cause: One Medical did not use the blind carbon copy (bcc:) field to mass email its customers, which would have hidden their email addresses from each other. Several customers took to Twitter to complain, but also express sympathy for what was quickly chalked up to an obvious mistake. Some users reported varying numbers of email addresses on the email that they received.
This discussion has been archived. No new comments can be posted.

An Email Sent by One Medical Exposed Hundreds of Customers' Email Addresses More

An Email Sent by One Medical Exposed Hundreds of Customers' Email Addresses

Comments Filter:

  • CC Strikes again.

    • Re: (Score:2)

      by GoTeam ( 5042081 )
      I bet they're having tons of fun right now creating a bunch of new policies and procedures. May even have to create a new "communications UI" for their "less talented" employees.

      • I think there is a meeting happening right now to do eeny, meeny, miney, mo to choose which intern to take the place.

        But if they are at this level of laziness with the patient emails, wonder what the PHI situation is like. Probably not fantastic.

      • I bet they're having tons of fun right now creating a bunch of new policies and procedures. May even have to create a new "communications UI" for their "less talented" employees.

        That "communications UI" was what I came to suggest. They could dump Outlook and go to an FOSS solution like Evolution, or to webmail. Then they could pay someone for a modified version configured to disable the 'CC' option, (or at least give a warning and prompt for confirmation), for anyone who might send bulk emails to customers.

        Come to think of it, that would be a cool option for any email client or webmail page. I can't see any good excuse for NOT having such a feature available to protect people and c

    • CC Strikes again.

      The larger problem is, email strikes again. It's the weakest point of any IT security system.

  • Are they sending these out by hand from somebodies Outlook? The world is awash in marketing email services that handle all this for you.

  • This ship has sailed (Score:3)

    by edi_guy ( 2225738 ) on Thursday July 01, 2021 @11:42AM (#61540478)

    Not only has this ship already sailed, it hit a reef and sank. Like many people I have multiple email addresses, one for spammy stuff, commercial businesses, free signups, etc. and one for personal (actual human beings) Awhile ago I just entered my spammy email address into Google, and yep not only did it link to my home address, but also to my 'personal' email as well.

    Commercial data aggregators have pwn3d us for years, and now our personal info is of so low value that it's plastered all over free, ad-based, garbage sites.

    So cc:ing a few hundred people is giggle funny for a news headline, meanwhile we've been totally screwed over by lack of legal remedy. There really needs to be an amendment to handle data privacy. At this point I think we know the direction personal data rights is going. This is only going to get more and more vital to everyday life. The country now has some weird aversion to creating new amendments to the constitution as though its defaming the original. But the intent was to have this capability to let the constitution evolve with society.

    • Re:This ship has sailed (Score:5, Funny)

      by EvilSS ( 557649 ) on Thursday July 01, 2021 @11:47AM (#61540486)
      At least you had to go searching for it. I remember back in the day some asshole would print up everyone's names, addresses, and phone numbers and drop it off on the front porch of every house in town! Not only that, they sold ads to fund their doxing!

      • Ha, I see what you did there. Your ID should be much lower to remember those good old days. I think it was only a few years back where a much thinner yellow pages was dropped on the doorsteps of our neighborhood, well after such things were thought to have gone extinct. Not sure who did it or why, it certainly wasn't Ma Bell, maybe a ill-conceived startup.

        The younger neighbors we leafing through them like they were some ancient scrolls. Fun to observe, for the 59 minutes before the went into the recyc

        • Re: (Score:2)

          by jnork ( 1307843 )

          "Your ID should be much lower to remember those good old days."

          And yet, I remember them too.

          It's possible for somebody to not have signed up for /. on day 1 but still be old enough to have e.g. watched the moon landing on TV as it happened.

        • Re: (Score:2)

          by EvilSS ( 557649 )
          I recall a time in the mid-2010's when it seemed like the phone book industry was having some sort of weird death throws and started spewing out phone books everywhere. I would get the usual ma' bell fire starter log, and at least 6 different yellow pages each year, usually in the mail. Literally went from the mailbox to the recycle bin (although I would save the inevitable magnets attached to the cover). I can't imagine how much paper was wasted on those. When AT&T started to let you opt out, I did. St

    • A few months ago I bought a PC online from OfficeDepot.com (it was a good deal! Ryzen 7 5700G!) , but the transaction was flagged and I had to go to the store and show the manager my ID and the credit card I'd used, then get on the phone with the fraud reviewer, from the store, on the store's phone line.

      Turns out the reason it got flagged was because someone sold OfficeDepot some sort of anti-fraud identity database or something that contained an email address I used 5 years ago to sign up on Twitter using

    • Re: (Score:2)

      by Kludge ( 13653 )

      There really needs to be an amendment to handle data privacy.

      In the USA most states have laws regarding data privacy. However in general your email is not considered private, just as your regular mailing address is not considered private. Nor is your phone number (remember phone books?)
      This story is mostly a big nothing burger.

  • Quick Fix... (Score:3)

    by Thelasko ( 1196535 ) on Thursday July 01, 2021 @12:00PM (#61540536) Journal
    Just click "Reply All" to the email and tell them to stop making such dumb mistakes.

  • These business have an IT Department for a reason. While even doing a BCC would be better, the better option would be send the message with the email addresses and have IT do it.

    Yes it will be more work for all parties.
    As when the request gets to IT, they will put it to their manager, than perhaps to compliance for approval. Then they may write a script to send the email one at a time to each person vs all at once.

    However this would had steps to reduce the chance of a HIPAA violation, as well a shared res

    • As when the request gets to IT, they will put it to their manager, than perhaps to compliance for approval. Then they may write a script to send the email one at a time to each person vs all at once.

      They would just install a mailing list package and have it done the right way.
      It's also possible their managers would insist on paying for a mailing company to handle it, in which case the same would be accomplished but cost more.

  • I wonder if HIPAA has a section on "sympathy for what was quickly chalked up to an obvious mistake"? I'm guessing not.

    • I wonder if HIPAA has a section on "sympathy for what was quickly chalked up to an obvious mistake"? I'm guessing not.

      This is about email address being harvested, so there is probably no reason to start throwing the HIPAA acronym around.

      • HIPAA is relevant. Revealing that "firstName.lastName at myEmployer.com" is one of your patients is in itself inappropriately disclosing PHI. Email addresses can often be easily tied to a person's identity. You can imagine how it'd be particularly concerning if they were a clinic that specialized in, for example, treatment of substance abuse or sexual disorders. One Medical provides general primary care so it might be less of a big deal to the patients, but I doubt the OCR (Office for Civil Rights, enforce
  • Technology, Support, and common sense were all done for when we decided that the calls for severe beatings of "reply to all" and "caps lock" incidents were branded as bitter and jaded.

Slashdot Top Deals

"Engineering without management is art." -- Jeff Johnson

Close