Apria Healthcare Left Customers in the Dark for Years as Hackers Accessed Its Systems

Apria Healthcare, a large provider of home healthcare equipment and services in the US, is notifying customers that hackers may have accessed their personal information in a breach long ago.

“We are writing to tell you about a data breach that may have exposed some of your personal information,” the letter begins (PDF). “We take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident.”

Hackers only wanted money, not data

In September of 2021, Apria received a “notification” regarding unauthorized access to its systems.

The healthcare giant found that an unauthorized party accessed its servers twice between 2019 and 2021. The purpose of the hack, Apria claims, was not to steal patient or employee data, but to “fraudulently obtain funds from Apria” (i.e. spear phishing / business email compromise).

“There is no evidence of funds removed, and Apria is not aware of the misuse of personal information related to this incident,” the memo continues. “A small number of emails and files were confirmed to have been accessed, but there is no proof that any data was taken from any system.”

According to Apria’s data breach notice to the Office of the Maine Attorney General, 1,869,598 people were affected in this breach.

Apria says it enlisted the help of the FBI and forensic investigators to conduct a thorough review of the potentially affected systems while also taking “additional security measures” as instructed by the forensic sleuths “to help prevent the reoccurrence of a similar breach.”

Worryingly, Apria’s management took almost two years to issue a formal data breach notice, as it already had details of the attack in September of 2021.

Investigation “recently” completed

Responding to an inquiry about the delay, Apria told British news site The Register that the investigation into what data may have been impacted was only recently completed.

As most breaches go, extended periods of access to sensitive data gives hackers a huge incentive to collect that data and sell it on the underground web for use in spam and fraud campaigns, and even extortion.

Bitdefender Digital Identity Protection lets you instantly find out if your data has leaked in a breach, what type of information was compromised, what risks you may face, and whether any of your information is for sale on the dark web.

Bitdefender Identity Theft Protection covers damages and financial loss from identity theft, complete identity theft restoration services, and identity theft insurance up to $2 million.