Primary care company One Medical has apologized after it sent out an email that exposed hundreds of customers’ email addresses.
The email sent out by One Medical on Wednesday asked to “verify your email,” but one email seen by TechCrunch had more than 980 email addresses copied on the email. The cause: One Medical did not use the blind carbon copy (bcc:) field to mass email its customers, which would have hidden their email addresses from each other.
Several customers took to Twitter to complain, but also express sympathy for what was quickly chalked up to an obvious mistake. Some users reported varying numbers of email addresses on the email that they received.
We asked One Medical how many customers had their email addresses exposed and if the company plans to report the incident to state governments, as may be required under state data breach notification laws, but we did not immediately hear back.
In a brief statement posted to Twitter, One Medical acknowledged the mistake, said: “We are aware emails were sent to some of our members that exposed recipient email addresses. We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will take all appropriate actions to prevent this from happening again.”
On the scale of security lapses, this one is fairly low down on the impact scale — compared to a breach of passwords, or financial and health data. But the exposure of email addresses can still be used to identify customers of the company.
The San Francisco-based One Medical, backed by Google’s parent company Alphabet, went public last year just prior to the start of the pandemic.
- Alphabet-backed primary care startup One Medical files to go public
- One Medical’s IPO will test the value of tech-enabled startups
- Passwordstate users warned to ‘reset all passwords’ after attackers plant malicious update
- Indian tech startup exposed Byju’s student data
- Peloton’s leaky API let anyone grab riders’ private account data