Attorney General Todd Rokita has initiated legal proceedings against Apria Healthcare LLC following a significant data breach that affected over 42,000 residents of Indiana and approximately 1.8 million individuals across the United States. The lawsuit represents an effort to address alleged violations related to patient privacy.
Apria Healthcare, a company that supplies home healthcare equipment and services nationwide, reportedly failed to notify its patients promptly about data breaches that occurred in 2019 and 2021. The delay in notification lasted until May 2023, nearly two years after the incidents were discovered.
“Patients should be able to trust their medical providers at all times,” stated Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care.”
The breach was initially brought to Apria's attention by the FBI on September 1, 2021. Unauthorized access allowed intruders to obtain millions of documents containing protected health information and personal details. Email accounts of several employees, including Apria’s CEO, were also compromised.
Rokita emphasized the importance of security in healthcare: “Everyone should feel protected by their health care providers. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin.”
Allegations against Apria include concealing the breach from consumers and failing to implement necessary HIPAA policies and procedures. As a result of inadequate security measures, sensitive information like Social Security Numbers and credit card details was exposed.
The lawsuit outlines five counts against Apria: violations of HIPAA’s Notification Rule, Security Rule, Privacy Rule; violations of the Disclosure of Security Breach Act; and violations of Indiana Deceptive Consumer Sales Act.
It is also claimed that Owens & Minor, Apria's parent company since March 2022, was aware of these breaches at the time of acquisition.
###