Apria Healthcare LLC, the victim of the data breach, serves more than 2 million patients annually, offering a wide range of medical equipment for conditions such as COPD, sleep apnea, and diabetes.
On 1st September 2021, Apria Healthcare, a leading provider of home healthcare equipment, was notified (PDF) that unauthorized access had been detected in its computer network, compromising the personal and confidential information of up to 1.8 million individuals.
On May 22, 2023, Apria Healthcare filed a notice with the Maine Attorney General regarding a data breach that occurred on its systems. An unauthorized party successfully accessed files containing confidential patient information, including names, Social Security numbers, personal details, medical records, health insurance information, and financial data.
The financial data accessed includes account numbers, credit/debit card numbers, account security codes, access codes, passwords, and PINs. The breach spanned two periods: from 5th April to 7th May 2019, and from 27th August to 10th October 2021.
Apria Healthcare promptly initiated an investigation upon discovering the breach, engaging a cybersecurity firm to assess the extent of the unauthorized access. As part of their response, the company reviewed the compromised files to determine the specific information exposed and identify the affected individuals.
On May 22, 2023, Apria sent out data breach notification letters to all individuals whose data was potentially compromised during the incident.
The timeline of the incident raises the question: why did it take Apria 20 months from the discovery of the data breach to issue breach notification letters and file a notice with the Maine Attorney General?
Apria Healthcare LLC, headquartered in Indianapolis, Indiana, is a prominent provider of home healthcare equipment. With over 200 locations across the United States, the company serves more than 2 million patients annually, offering a wide range of medical equipment for conditions such as COPD, sleep apnea, and diabetes.
Apria Healthcare asserts that the attackers’ primary objective was to “fraudulently obtain funds from Apria and not to access personal information of its patients or employees.”
In recent years, healthcare providers have become attractive targets for cybercriminals due to the vast amount of sensitive information they possess. Individuals who have received data breach notification letters from Apria Healthcare are urged to take immediate action to protect themselves against potential identity theft or fraud. Seeking guidance from a data breach lawyer can provide valuable insights into legal options and steps to mitigate the risks associated with the breach.
Following the breach, Apria Healthcare has worked closely with law enforcement, including the Federal Bureau of Investigation (FBI), to investigate the incident thoroughly. The company has implemented additional security measures to enhance its network’s resilience and prevent similar breaches from occurring in the future.
While there is currently no evidence of data theft or misuse, the possibility cannot be ruled out. To address the situation and mitigate potential risks, Apria Healthcare has taken several measures to safeguard affected individuals. It has extended a gesture of support to affected individuals by offering one year of complimentary credit monitoring services through Kroll, a renowned provider of identity theft protection services.