Apria Healthcare Was Pwned…. But You’re Finding Out About It Two Years After The Fact…. WTF??

This week, Apria Healthcare alerted nearly 1.9 million patients and employees that their personal and financial data may have been accessed by hackers who breached the company’s networks between April 5, 2019 to May 7, 2019, and then a second time from August 27, 2021 to October 10, 2021. It’s unclear, however, why Apria has only sent letters about the incident two years later.

Information potentially accessed may have included personal, medical, health insurance or financial information such as bank account and credit card numbers in combination with security codes, access codes, passwords and account PINs. 

According to Apria, the company took immediate action including working with the FBI and hiring a reputable forensic investigation team to investigate. I’ll comment on this in a moment and I will let Willy Leichter, VP, Cyware start off the commentary:

This is another example of the fundamental flaws in our breach notification system. Learning that your personal data was breached two years ago is practically useless, and all the free credit reporting in the world won’t help. While we try to mandate how quickly an organization must report a breach, there are no clear standards on how quickly breaches need to be discovered. In fact, there’s a perverse disincentive – the more lackluster your security, the longer you can wait to discover or disclose breaches that can be damaging to your business.

Roy Akerman, Co-Founder & CEO, Rezonate follows up with this:

   “Unfortunately, we see an example where time to report an incident is not measured in days but in years. Healthcare PII data is considered premium in the dark web forums as one cannot simply alter their information with a new one. It is critical now to complete the investigation and truly understand the chain of attacks that occurred in 2019 and 2021 and validate there is no additional stealthy adversaries hiding and no backdoors left behind.”

Apria needs to be slapped here. Fines, Congressional hearings, whatever. The thing is that they took way too long to tell the world about this breach. And who knows if they have truly addressed whatever issues led to the breach in the first place. The fact is that Apria failed miserably here and that not only needs to be addressed with this healthcare provider, but by better laws that force immediate disclosure of breaches.

Leave a Reply

%d bloggers like this: