Update: This incident was reported to HHS on March 17 as impacting 140,781 patients.
Their press release:
Tandem Diabetes Care, Inc. (“Tandem”) is committed to protecting the confidentiality and security of our customers’ information. Regrettably, this notice is to inform our customers of a recent phishing incident that may have involved some customer information.
What happened?
On January 17, 2020, we learned that an unauthorized person gained access to a Tandem employee’s email account through a security incident commonly known as “phishing.” Once we learned about the incident, we immediately secured the account and a cyber security firm was engaged to assist in our investigation. Our investigation determined that a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020.
What information was involved?
Through the investigation, we learned that some customers’ information may have been contained in one or more of the Tandem email accounts affected by the incident. The affected email accounts may have contained customer names, contact information, information related to those customers’ use of Tandem’s products or services, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.
What actions should you take?
We recommend that customers review the billing statements they receive from their healthcare providers. If they see services they did not receive, they should contact the provider immediately. For those customers whose Social Security numbers were included in the email accounts, we are offering a complimentary membership of credit monitoring and identity protection services.
What are we doing?
We take the privacy and confidentiality of our customers’ information very seriously and apologize for any inconvenience or concern this incident may cause our customers. We are continuing to invest heavily in cyber security and data protection safeguards. We are also implementing additional email security controls, strengthening our user authorization and authentication processes, and limiting the types of data permitted to be transferred via email. We began mailing letters to affected customers on March 17, 2020 and established a dedicated call center for patients to call with questions. If you believe you are affected by this incident and do not receive a letter by April 17, 2020, please call 1-844-971-0675, Monday through Friday, between 6:00 a.m. and 3:30 p.m. Pacific Time, excluding major U.S. holidays.