Apria waits almost two years to notify 1.8 million patients that their identities were stolen then attempts to downplay its significance .
Apria Healthcare, a manufacturer of medical equipment for the home, is sending out breach notifications to roughly two million people whose information may have been stolen in data breaches in 2019 and 2021.
What is Know So Far
Despite the breach happening years ago, knowledge of the breach is only now slowly emerging. Based on Apria’s Notice of Data Breach filed with the Maine Attorney General, on October 1, 2021 Apria was notified that an unauthorized party had gained access to the company’s computer network. In response, Apria secured its network, reported the incident to the FBI, and then began working with a cybersecurity firm to investigate the allegations.
Apria’s investigation revealed that an unauthorized person accessed certain files containing confidential patient information from April 5, 2019 to May 7, 2019 and then again from August 27, 2021 to October 10, 2021. What is unsettling is that despite learning of the data breach on October 1, 2021, hackers were still able to access Apria’s network for a further 10 days.
What Information Was Stolen?
According to the Company’s official filing, information obtained from the hack includes –
- Full Name
- Social Security Number
- Personal Details
- Medical Records
- Health Insurance Information
- Financial Information (credit/debit card numbers, PINs, security codes, access codes, passwords)
Why Did Apria Wait Almost Two Years To Notify Patients?
Under Health Insurance Portability and Accountability Act (“HIPAA”), breaches affecting the protected health information of 500 or more individuals are required to be reported to the U.S. Department of Health and Human Services within 60 days of discovery. Affected individuals are to be notified no later than 60 days of the discovery of a breach.
Apria did not comment as to why it waited 20 months before notifying its patients. By not complying with HIPAA it may leave itself open to further penalties.
Understand Your Rights Regarding Apria’s Data Breach
Apria’s Notice of Data Breach states that it will provide 12 months of identity theft protection and credit monitoring to affected individuals. Victims should be aware of their legal rights and any waivers of liability Apria may require in order to provide these services.
Victims of identity theft are now exposed to a lifetime of fraudulent activity. Criminals use this information to:
- open new financial accounts in victims names,
- take out loans using victims identities,
- obtain medical services,
- use health information to craft phishing and other hacking attacks based on a victims individual health needs,
- obtain government benefits,
- file fraudulent tax returns
- obtain drivers licenses,
- give false information to police during an arrest.