Cyber Incident Victim: Tandem Diabetes Care
Date:
Jan 2020
Location:
United States of America
Summary
A phishing incident compromised employee email accounts at Tandem Diabetes Care, allowing unauthorized access over several days. The breach potentially exposed customer names, contact details, product usage information, diabetes therapy clinical data, and limited Social Security numbers. The company secured affected accounts, engaged cybersecurity experts, and determined approximately 140,000 individuals were impacted. Notification letters were mailed, a dedicated support line was established, and credit monitoring services were offered to those with exposed Social Security numbers. Additional security measures included enhanced email controls, stricter authentication protocols, and restrictions on email data transfers to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 17, 2020, Tandem Diabetes Care discovered unauthorized access to an employee’s email account resulting from a phishing attack. The compromise persisted until January 20, 2020, during which time an unknown actor potentially accessed multiple employee email accounts. The company immediately secured the affected accounts and engaged a cybersecurity firm to investigate the breach. The investigation revealed that the compromised accounts contained customer information, including names, contact details, data related to product usage, and clinical information about diabetes therapy. A limited number of records also included Social Security numbers. Tandem determined the incident exposed sensitive data but did not specify the exact number of affected individuals in its initial disclosure. The company reported the breach to the U.S. Department of Health and Human Services on March 17, 2020, indicating 140,781 impacted patients.
Tandem began notifying affected customers via mailed letters starting March 17, 2020, advising recipients to review healthcare billing statements for discrepancies. The company established a dedicated call center operational on weekdays during Pacific Time business hours to address inquiries. Customers whose Social Security numbers were exposed were offered complimentary credit monitoring and identity protection services. Internally, Tandem implemented enhanced email security controls, restricted email data transfer protocols, and strengthened user authentication processes to prevent similar incidents. The breach did not disrupt device operations or clinical services, but it exposed sensitive health and personal data, prompting organizational reviews of data retention and communication practices. No evidence of data misuse was disclosed in the notification.