Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations
Indiana Attorney General Todd Rokita has filed a lawsuit against Apria Healthcare alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws following a cyberattack and data breach that affected 1,869,598 individuals, including 42,000 Hoosiers.
Apria Healthcare is an Indianapolis, IA-based provider of home healthcare equipment and related services. Apria Healthcare was notified by the Federal Bureau of Investigation (FBI) on September 1, 2021, about unauthorized access to its internal systems. The investigation confirmed that between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including several employee email accounts. The electronic protected health information exposed included names, birth certificates, financial information, Social Security numbers, medical histories, and health information. Apria Healthcare determined that the reason for the intrusion was to obtain funds from Apria Healthcare rather than patient data. Notifications were mailed to the affected individuals in May 2023, more than 20 months after being notified about the breach by the FBI.
Attorney General Rokita alleged that Apria Healthcare deliberately concealed the data breach by failing to issue notifications for 629 days and that the delay violated the HIPAA Breach Notification Rule, which requires individual notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. The delayed notification also violated Indiana’s Disclosure of a Security Breach Act, which requires notifications to be issued without undue delay and not more than 45 days after the discovery of a data breach. Owens and Minor acquired Apria Healthcare in March 2022. Attorney General Rokita alleged that Owens and Minor was aware of the data breaches yet still failed to issue timely notifications.
Attorney General Rokita also alleged violations of the HIPAA Privacy and Security Rules – the failure to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, and the impermissible disclosure of the ePHI of more than 1.8 million individuals – and violations of the Indiana Deceptive Consumer Sales Act. “Patients should be able to trust their medical providers at all times,” said Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy