A data breach at CPAP Medical Supplies and Services, Inc., a Jacksonville, Florida-based defense contractor, exposed the sensitive information of 90,133 military members, veterans, and their families after an unauthorized intrusion into its computer systems.
The company stated the security incident occurred in December, but it was not discovered until late June. Notification letters were subsequently sent to affected individuals in mid-August. A wide range of personal and medical data was exposed, including names, birth dates, Social Security numbers, and patient identification numbers. The compromised information also encompassed health insurance details, comprehensive medical histories, specific diagnoses, and treatment plans. This breach impacted thousands of residents in Texas as part of the total number of affected individuals.
In its notification letter, the company informed patients, “As a result of a cybersecurity incident, CPAP learned that an unauthorized actor gained access to our network environment.” The firm confirmed it is now working with external cybersecurity professionals to investigate the incident and to determine the full extent to which personal or sensitive data had been compromised. CPAP Medical Supplies and Services, Inc. partners with Tricare, the military’s health insurer, to provide continuous positive airway pressure (CPAP) machines and related supplies for patients diagnosed with obstructive sleep apnea. The devices, which help keep a user’s airways open during sleep, also track sleep data that the company’s systems can access.
In response to the breach, the company is offering 12 months of complimentary credit monitoring and identity monitoring services to all impacted individuals. While the incident has been listed on the data breach notification websites for the states of Maine, Massachusetts, and Washington, it has not yet appeared on the Texas Attorney General’s online tracker for data security breaches. The breach is also not currently listed on the U.S. Department of Health and Human Services database of health information breaches.
