Home Health Gear Firm Says Breach Affects Nearly 1.9 MillionIncident Discovered in Fall 2021, But Compromised Data Dates Back to 2019
Home healthcare equipment firm Apria Healthcare is notifying nearly 1.9 million individuals of a hacking incident first discovered in September 2021 that involves personal and health information dating back to mid-2019.
The company said the investigation into the breach indicates the unauthorized access was part of an attack to fraudulently obtain funds from Apria rather than to access the personal information of its patients or employees.
The Indianapolis, Indiana-based supplier of sleep apnea, breathing, diabetic equipment and other gear on Monday told the Maine attorney general's office that the incident had affected 1.87 million individuals, including nearly 7,200 Maine residents.
In a sample breach notification letter provided to Maine regulators, Apria said that on Sept. 1, 2021, it received a notification regarding access to select Apria systems by an unauthorized third party.
The company said it took "immediate action" to mitigate the incident, including contacting the FBI and a third-party forensics team. The investigation determined that an unauthorized party had accessed systems containing personal information from April 5, 2019, to May 7, 2019, and from Aug. 27, 2021, to Oct. 10, 2021.
Information potentially compromised includes personal, medical, health insurance or financial information, and in some cases, Social Security numbers, Apria said.
"There is no evidence of funds removed, and Apria is not aware of the misuse of personal information related to this incident," the company said. "A small number of emails and files were confirmed to have been accessed, but there is no proof that any data was taken from any system."
Apria Healthcare was acquired by Owens & Minor in March 2022 for $1.6 billion. The company did not immediately respond to Information Security Media Group's request for additional details about the situation, including why there appears to be a 20-month delay between the discovery of the incident and breach notification.
Under HIPAA, breaches affecting the protected health information of 500 or more individuals are required to be reported to the U.S. Department of Health and Human Services within 60 days of discovery, or sooner. Also, affected individuals are to be notified no later than 60 days of the discovery of a breach.
As of Tuesday, the Apria breach did not appear on the HHS' Office for Civil Rights' HIPAA Breach Reporting Toolwebsite for incidents affecting 500 or more individuals.
State and federal breach reporting requirements vary both in scope of covered information as well as the content of the notice and the timeline for making the notification, said Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
"The time limit is often 30 or 60 days. On the face of it, Apria's disclosure seems to be beyond what is typically permitted by law and could potentially result in penalties," Moore said.
Because Apria has not publicly indicated when it became aware that individuals' personal information had been disclosed or had likely been disclosed in the incident, it is unclear whether the company's apparent delay in reporting was justified or not, he added.
"Working with the FBI should not be a justification for the delay unless the FBI specifically requested that they not make the breach public for perhaps an investigatory reason," Moore said. "We have no evidence that this was the case here; however, it is possible."
The best actions other organizations can take to avoid delays in detecting a cyber incident or other type of data breach is to implement a managed detection and response solution or similar type capability, Moore said.
That includes endpoint detection and response solutions, log monitoring, intrusion prevention and detection systems, SIEM, alerting and a 24/7/365 security operations center to monitor and analyze alerts, he said. "In addition, regularly training employees on identifying a potential security incident and encouraging reporting is also helpful."
In the breach notification, Apria said it has implemented additional security measures to help prevent the reoccurrence of a similar incident. The company is also offering affected individuals one year of complimentary identity and credit monitoring.