25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cyberattack on Medical Equipment Provider Affects 90,000 Patients

Posted By on Aug 20, 2025

Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.

CPAP Medical Supplies and Services Inc.

CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.

After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Health Services LLC (Miracle Ear)

Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.

East Adams Rural Healthcare

East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.

Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.

The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist