Primary care company One Medical has apologized after it sent out an email that exposed hundreds of customers’ email addresses.
The email sent out by One Medical on Wednesday asked to “verify your email,” but one email seen by TechCrunch had more than 980 email addresses copied on the email. The cause: One Medical did not use the blind carbon copy (bcc:) field to mass email its customers, which would have hidden their email addresses from each other.
Several customers took to Twitter to complain, but also express sympathy for what was quickly chalked up to an obvious mistake. Some users reported varying numbers of email addresses on the email that they received.
omg @onemedical just sent this out with 981 other recipients in the to: field. let's see if i know anyone else on this thread! pic.twitter.com/9FdSYiEalE
— Evan Madow (@emadow) June 30, 2021
We asked One Medical how many customers had their email addresses exposed and if the company plans to report the incident to state governments, as may be required under state data breach notification laws, but we did not immediately hear back.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
In a brief statement posted to Twitter, One Medical acknowledged the mistake, said: “We are aware emails were sent to some of our members that exposed recipient email addresses. We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will take all appropriate actions to prevent this from happening again.”
On the scale of security lapses, this one is fairly low down on the impact scale — compared to a breach of passwords, or financial and health data. But the exposure of email addresses can still be used to identify customers of the company.
The San Francisco-based One Medical, backed by Google’s parent company Alphabet, went public last year just prior to the start of the pandemic.
Read more:
- Alphabet-backed primary care startup One Medical files to go public
- One Medical’s IPO will test the value of tech-enabled startups
- Passwordstate users warned to ‘reset all passwords’ after attackers plant malicious update
- Indian tech startup exposed Byju’s student data
- Peloton’s leaky API let anyone grab riders’ private account data
