Hackers breach CPAP medical supplies, exposing data of 90,000 customers

CPAP Medical Supplies and Services, a provider of sleep therapy equipment with a strong focus on U.S. military personnel, has disclosed a cyberattack that compromised the personal information of more than 90,000 individuals.

The company said the breach occurred between December 13 and December 21, 2024, when attackers gained unauthorized access to its network. A breach notification letter sent to affected individuals confirmed that sensitive data may have been exposed during the incident.

Information submitted to the Maine Attorney General’s Office showed that the data of 90,365 people was affected. In its public notice, CPAP warned that names, Social Security numbers and other protected health and personal information may have been accessed.

CPAP emphasized that it provides medical gear for sleep therapy, frequently serving U.S. service members and their families. The company’s website highlights its focus on military communities and notes that it accepts Tricare, the U.S. Department of Defense’s health program for service members.

“We commenced a prompt and thorough investigation into the incident and worked very closely with external cybersecurity professionals experienced in handling these types of situations to help determine whether any personal or sensitive data had been compromised,” the company stated in its breach notice.

The exposure of Social Security numbers and health data can increase the risk of identity theft, fraud and phishing attempts. Cybercriminals often leverage stolen medical information to file false insurance claims or obtain prescriptions for controlled substances. While CPAP said it has no evidence that the data has been misused, the company is offering complimentary credit and identity monitoring services to those impacted.

Healthcare organizations remain a primary target for hackers due to the value of medical records in underground markets. In 2024 alone, healthcare-related data breaches exposed more than 267 million records across the United States, according to industry research.