Indiana AG Sues Healthcare Organization Over Data Breach

March 05, 2024 - Indiana Attorney General Todd Rokita filed a lawsuit against Apria Healthcare over a data breach that unfolded between April 2019 and October 2021. Apria is a leading provider of home medical equipment delivery and clinical support and serves more than two million patients across 270 locations.

In September 2021, the Federal Bureau of Investigation (FBI) notified Apria that a third party was likely able to access its system. Apria launched an investigation and determined that an unauthorized party had accessed documents containing protected health information (PHI) as well as employee email accounts at various points between 2019 and 2021.

Despite finding out about this unauthorized access in September 2021, Apria Healthcare notified the nearly two million impacted patients of the breach in May 2023, more than 600 days after the initial discovery.

In the lawsuit, Rokita alleged that Apria’s delayed notification constituted violations of both HIPAA and Indiana law. Of the two million individuals impacted by the breach, 42,000 were Hoosiers.

“Everyone should feel protected by their health care providers,” Rokita said. “When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”

The lawsuit alleged that Apria concealed the breach from its customers and failed to implement the proper safeguards to protect sensitive data. As a result, sensitive information such as Social Security numbers, birth certificates, credit and debit card information, and medical histories were jeopardized.

“By having an extreme delay in notifying Indiana consumers, the Office of the Indiana Attorney General, and the credit reporting agencies, Apria greatly increased the chance that Hoosiers were the victims of identity deception,” the filing stated.

“Apria had many opportunities to alert Hoosiers of the Data Breaches, but Apria chose not to. Instead, Apria chose to delay notification for close to two years, which put Hoosiers’ identities at risk.”

The lawsuit alleged violations of the HIPAA Breach Notification Rule, which requires covered entities to notify impacted individuals of a breach within 60 days of discovery. Additionally, Rokita alleged that Apria violated the HIPAA Security Rule, the HIPAA Privacy Rule, the Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act.