Personal and financial data describing almost 1.9 million Apria Healthcare patients and employees may have been accessed by crooks who breached the company’s networks over a series of months in 2019 and 2021.
The home healthcare equipment provider, which says it serves about two million patients from 280 locations across America, said it discovered the intrusion back in September 2021 and then alerted those it felt may have been affected on Monday this week. No, you haven’t fallen into a time warp: it is 2023 right now.
“Based on the investigation, it was determined that information potentially accessed in the incident varied for each individual and may have included personal, medical, health insurance or financial information, and in some limited cases, Social Security numbers,” according to a notice on Apria’s website.
This financial information includes bank account and credit card numbers in combination with security codes, access codes, passwords and account PINs. The healthcare biz also provided more details about what happened in a data security breach notification letter sent to 1,869,598 people.
An “unauthorized third party” broke into “select Apria systems” containing personal information from April 5, 2019 to May 7, 2019, and then a second time from August 27, 2021 to October 10, 2021, according to the alert [PDF].
“Apria took immediate action to mitigate the incident, including working with the Federal Bureau of Investigation (FBI) and hiring a reputable forensic investigation team to investigate and securely resolve the incident,” the letter reads.
It’s unclear, however, why Apria has only sent letters about the incident two years after spotting the cyber-break-in. We asked the company about the delay, as well as how the intruders gained access to the healthcare company’s data, and what it’s doing to better protect customer details in the future. Apria didn’t answer any specific questions.
Here’s the response The Register received from a company spokesperson:
In its notification letter, the organization told customers it “believes the purpose of the unauthorized access was to fraudulently obtain funds from Apria and not to access personal information of its patients or employees. There is no evidence of funds removed, and Apria is not aware of the misuse of personal information related to this incident.”
Which to us sounds like a business email compromise caper. The letter also references the, ahem, “small number of emails and files were confirmed to have been accessed,” and adds that there’s “no proof” that the intruders stole any data.
For those having a hard time believing that criminals had access to nearly 1.9 million people’s information and didn’t use it to commit any other crimes and instead just left it sitting there, untouched … well, we can’t say we blame you.
After working with the FBI and outside forensic investigators to “conduct a thorough review of the potentially affected systems,” Apria says it has implemented “additional security measures” to prevent a similar breach in the future — and further lock down patients’ and employees’ confidential data.
And for the people receiving a breach notification letter: you get free Kroll credit and identity monitoring, plus fraud consultation and identity theft restoration for a year, as is traditional.
“If I was one of their customers, I would immediately LOCK my credit and demand more investment into cybersecurity technologies like runtime protection, XDR, and MDR services,” Tom Kellermann, SVP of cyber strategy at Contrast Security, told The Register via email.
And, he noted, the crooks were in Apria’s systems “for a long time,” which may point to more problems down the road for customers.
“Cybercrime cartels always set up backdoors into compromised networks and many times these backdoors, aka RATs, are often sold on Access Brokerage Marketplaces,” he said.
“Thus they cannot rule out that the PII of the patients wasn’t leaked and systemic identity theft is ongoing.” ®