Stethoscope on keyboard showing healthcare data breach

Apria Healthcare Data Breach Exposed Sensitive Information of Nearly 2 Million Patients

Apria healthcare data breach has exposed the personal, medical, and financial information of up to 1.8 million individuals.

According to a data breach notification filed with the Maine Attorney General’s Office, the cyber intrusion occurred from April 5 to May 7, 2019, and from August 27 to October 10, 2021.

Apria said it received a notification about the unauthorized access on September 1, 2021, and responded promptly to mitigate the breach, notified federal law enforcement authorities, and retained external cyber forensics experts.

Based in Indianapolis, Indiana, US, Apria Healthcare LLC is a leading provider of home healthcare equipment, serving over 2 million patients from over 200 locations in the United States.

Apria healthcare data breach attributed to financially-motivated hackers

Although hackers accessed a “small number of emails and files,” Apria believes the cybercriminals were interested in stealing funds from the company and not exfiltrating patient and employee information.

Apria has found no evidence that hackers succeeded in transferring funds or misusing personal information.

“There is no evidence of funds removed, and Apria is not aware of the misuse of personal information related to this incident. A small number of emails and files were confirmed to have been accessed, but there is no proof that any data was taken from any system,” Apria said.

However, Tom Kellermann, SVP of Cyber Strategy at Contrast Security, suggested the company should not rule out that “systemic identity theft is ongoing.”

“If I was one of their customers, I would immediately LOCK my credit and demand more investment into cybersecurity technologies like runtime protection, XDR, and MDR services,” Kellermann said.

Meanwhile, the medical equipment provider has confirmed that the security breach compromised sensitive data, including personal, medical records, health insurance information, or financial details.

Financial data leaked includes account numbers, credit/debit card numbers, account security codes, access codes, passwords, and PINs.

“It was determined that information potentially accessed in the incident varied for each individual and may have included personal, medical, health insurance or financial information, and in some limited cases, Social Security numbers,” the company posted on its website.

Apria has notified potentially impacted customers but could not determine if each individual’s data was accessed, “For the individuals receiving this notice, the investigation was unable to confirm whether any emails or files about them were actually accessed.”

It remains unclear why the healthcare data breach took almost two years to disclose despite the Health Insurance Portability and Accountability Act (HIPAA) demanding prompt notification of impacted individuals. Similarly, the duration and the number of times hackers accessed Apria’s IT systems raise serious questions about the company’s cybersecurity practices.

“The main takeaway is that the attacker had unencumbered access to sensitive, personal patient healthcare information for over three months,” Dror Liwer, co-founder of Coro. “The fact that the attacker was able to return a year later indicates that they took advantage of a vulnerability that wasn’t managed.”

However, Apria said it extensively analyzed the incident with the FBI and implemented extra security measures recommended by its external cyber forensics experts. Additionally, the company has provided free 12-month Kroll identity monitoring services to protect the victims from identity theft and online fraud.

Another healthcare data breach rocks the industry

Healthcare organizations have traditionally been lucrative targets for hackers, given the attractive prices that patient information fetches on the underground markets.

Apria cyber incident is hardly the most significant healthcare data breach disclosed this year.

In March 2023, emotional healthcare provider Cerebral, Inc. notified 3.1 million patients it inadvertently shared protected health information (PHI) with third-party platforms and subcontractors via tracking pixels.

Apria #healthcare #databreach has exposed the personal, medical, and financial information of up to 1.8 million individuals. The cyber intrusions occurred from April 5 to May 7, 2019, and from August 27 to October 10, 2021. #cybersecurity #respectdataClick to Tweet

In May 2023, American pharmacy giant PharMerica disclosed a massive healthcare data breach impacting 5.8 million patients.

Similarly, Community Health Systems (CHS) disclosed a third-party data breach in February 2023, impacting 962,884 patients. CHS attributed the healthcare data breach to the Fortra GoAnywhere file transfer appliance vulnerability. At least 130 organizations, including dozens of healthcare institutions, were affected.