June 1, 2023
Apria Healthcare, a provider of home medical equipment, recently announced a data breach that exposed the sensitive information of approximately 2 million patients.
The medical equipment provider has confirmed that the security breach exposed sensitive patient information (PHI), such as personal medical records, health insurance policy information, and financial statements.
Table of Contents
Apria Healthcare Data Breach: Overview of the Incident
Apria Healthcare, a prominent provider of home medical equipment, recently reported a major data breach impacting up to 2 million individuals. This incident underscores the growing threat posed by cyberattacks against healthcare institutions – with potentially grave repercussions for patient privacy and trust in medical institutions. This data breach occurred from April 5 to May 7, 2019, and August 27 to October 10, 2021, and affected patients who purchased or serviced medical equipment through Apria.
The information exposed included names, addresses, Social Security numbers, dates of birth, and health insurance information. Confidential financial data was also leaked, including account numbers, credit card numbers, account security codes, access codes, passwords, and PINs.
Hacker Motives and Potential Risks to Patient Information
Though hackers may have gained access to “a small number of emails and files,” Apria believes the focus of cybercriminals was to access funds instead of exfiltrating patient and employee data.
Apria has found no evidence of hackers successfully transferring funds or misusing personal information. The medical equipment provider also indicated there was no evidence of funds being siphoned off and was unaware of any misuse of personal data as a result of the attack.
Tom Kellermann of Contrast Security suggested that the company should not rule out systemic identity theft. He said that if he were one of their customers, he would immediately lock his credit and demand more investment into cybersecurity technologies like runtime protection, XDR, and MDR services.
Dror Liwer, Coro Cybersecurity’s co-founder, also stressed that “The main takeaway is that the attacker had unencumbered access to sensitive, personal patient healthcare information for over three months.” “The fact that the attacker was able to return a year later indicates that they took advantage of a vulnerability that wasn’t managed,” he added.
Apria’s Response and Mitigation Efforts
Apria said they received notice of the unauthorized access on September 1, 2021, and quickly took steps to mitigate it, notify federal law enforcement authorities, and bring on external cyber forensics specialists for investigation. They then informed the potentially affected customers but could not determine whether their data was compromised.
As per the company’s investigation, they could not confirm whether there were emails or files accessed or stolen by the unauthorized party. Apria also stated that it conducted extensive analysis with the FBI and implemented additional security measures recommended by external cyber forensics experts. Furthermore, the leading U.S. home health equipment provider is offering their affected customers free 12-month Kroll identity monitoring services to protect themselves from identity theft and online fraud.
Nonetheless, The Health Insurance Portability and Accountability Act of 1996, or HIPAA, requires prompt notification (without any unreasonable delays) to the affected individuals of healthcare data breaches. In Apria’s case, it took them nearly two years to report the incident, raising serious concerns over the company’s cybersecurity measures and breach management practices.
Whatever their reason is, it all boils down to the fact that the Indianapolis-based company failed to meet the breach notification requirements stated in the HIPAA guidelines. While steps have since been taken to lessen the impact, this incident highlights the ongoing challenges healthcare providers and other covered entities face when protecting sensitive patient data.
Stay One Step Ahead With Robust Cybersecurity
Organizations face an ever-present and growing threat from malicious attackers, with damages ranging from financial, reputational, and operational losses to considerable personal harm. Because of this, implementing and maintaining robust cybersecurity measures within a digital infrastructure is vital to protect sensitive patient information, ensuring resilience against evolving cyberattacks.
As such, businesses and organizations can significantly reduce the risk of healthcare data breaches with enterprise-grade encryptions, multi-factor authentications, and HIPAA-compliant shared drives. The absence of these necessary countermeasures can have devastating repercussions, including identity theft, credit card fraud, and financially debilitating ransomware attacks. Add to that the potential lawsuits and criminal penalties resulting from HIPAA violations.
By being proactive in safeguarding PHI, healthcare organizations can better demonstrate their competence to protect patients and, at the same time, maintain a positive reputation across the healthcare industry.