Apria Healthcare LLC

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Apria Healthcare LLC, a provider of home medical equipment, experienced a significant data breach that affected the personal, financial, and health information of nearly 1.8 million patients and employees. The breach was first discovered on September 1, 2021, when Apria was notified of unauthorized access to select systems by an unauthorized third party. The company took immediate action to mitigate the incident, including contacting the FBI and hiring a forensic investigation team[1][3].

The unauthorized access occurred during two separate periods: from April 5, 2019, to May 7, 2019, and again from August 27, 2021, to October 10, 2021. The investigation suggested that the primary goal of the unauthorized access was to fraudulently obtain funds from Apria, rather than to access personal information. Despite this, a small number of emails and files were confirmed to have been accessed, although there was no proof that any data was actually taken from the systems[1][2][3].

The information potentially accessed varied by individual and could include personal, medical, health insurance, or financial information, and in some cases, Social Security numbers. Apria has since notified the affected individuals and is providing complimentary identity protection services. The company has also implemented additional security measures to prevent a recurrence of such a breach[1][3].

Despite the breach being discovered in 2021, Apria did not notify the affected individuals until May 22, 2023, which is well outside the timeframe required by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA mandates that covered entities must inform patients of compromises to their protected health information without unreasonable delay and no later than 60 calendar days from the discovery of the breach[1].

The delay in notification has led to several lawsuits against Apria Healthcare LLC, with plaintiffs alleging that the company failed to secure their personally identifiable information and did not provide timely notice of the data breaches. Some of the lawsuits are seeking class-action status on behalf of the affected individuals[5][8][9].

The breach notification filed with the Maine Attorney General’s Office detailed the types of information that were potentially accessed and confirmed that consumer reporting agencies had been notified due to the number of affected individuals exceeding 1,000[4].

Apria Healthcare LLC is based in Indianapolis, Indiana, and serves over 2 million patients from more than 200 locations across the United States. The company was acquired by Owens & Minor Inc. in 2022[2][5].

Citations:

  1. https://www.scmagazine.com/news/apria-healthcare-notifies-nearly-2-million-patients-of-2021-data-breach
  2. https://www.cpomagazine.com/cyber-security/apria-healthcare-data-breach-exposed-sensitive-information-of-nearly-2-million-patients/
  3. https://www.businesswire.com/news/home/20230522005644/en/Apria-Notice-of-Data-Breach
  4. https://apps.web.maine.gov/online/aeviewer/ME/40/bf218a4e-1ffd-4f14-a74d-3d34aec8d6c7.shtml
  5. https://www.insideindianabusiness.com/articles/medical-supplier-apria-sued-over-massive-data-breach
  6. https://healthitsecurity.com/news/2m-individuals-impacted-by-healthcare-data-breach-at-apria-healthcare
  7. https://www.hipaajournal.com/apria-healthcare-breach-affects-up-to-1-8-million-individuals/
  8. https://news.bloomberglaw.com/privacy-and-data-security/apria-healthcare-sued-over-data-breaches-affecting-1-8-million
  9. https://casetext.com/case/smith-v-apria-healthcare-llc
  10. https://www.doj.nh.gov/consumer/security-breaches/documents/apria-healthcare-20230531.pdf
  11. https://www.jdsupra.com/legalnews/apria-healthcare-llc-data-breach-5748418/
Breach Submission Date May 16, 2022
Converted Entity Name Apria Healthcare LLC
Converted Entity Type Healthcare Provider
State IN
Individuals Affected 1,868,831
Breach Type Hacking/IT Incident

Breach Information Location Email, Network Server

Business Associate Present Yes