Threat actors breached Apria`s Healthcare LLC system and stole the credit card data of 1,869,598 patients and employees. Apria is one of the top US home medical equipment delivery and clinical support provider companies.
Although the company discovered the attack back in 2021, they only notified the affected persons on May 22nd, 2023. According to Apria`s notice, an unauthorized third party „accessed select Apria systems storing personal information” from April 5th to May 7th, 2019, and once again between August 27th to October 10th, 2021.
The unauthorized third party allegedly accessed Apria’s systems from April 5th to May 7th, 2019. The malicious actors then accessed the systems again from August 27th to October 10th, 2021.
The Stolen Data and Consequent Risks
After breaching the system, hackers succeeded in stealing extremely sensitive data of almost 2 million people. Personal, medical, and health information, as well as Social Security numbers, are on the list of compromised data. Along with all that, threat actors also obtained:
- account numbers and credit/debit card numbers,
- accounts` security codes,
- access codes, passwords,
- PIN numbers.
In this case, financial fraud, phishing attacks, and identity theft are among the major risks.
Until now, there seems to be no evidence of funds removal or other misuse of the compromised data. So, Apria claims that the threat actors don`t actually plan to access the information. According to their investigation and the law enforcement`s opinion, the goal was to obtain a ransom from Apria.
Response, Mitigation and Prevention Measures
According to the notification letter the company sent to the impacted people:
Apria has worked with the FBI and forensic investigators to conduct a thorough review of the potentially affected systems. We have also implemented additional security measures upon the guidance and recommendation of our forensic investigators to help prevent the reoccurrence of a similar breach and to further protect the privacy of our patients and employees.
As a caution measure, Apria offered the affected persons free credit and identity monitoring, fraud consultation, and identity theft restoration for a year.
It remains unclear why the company waited for almost two years to announce its clients and employees about their data being stolen. Also, Apria didn`t reveal yet how did the threat actors manage to breach their system.
In order to prevent a data breach, cyber security specialists recommend:
- Patch and update regularly the company`s software. Using an automated patch management solution is most effective and saves the security team a lot of time.
- Use high-grade encryption. This way, third parties won`t be able to access the cryptographic keys and decode communication.
- Enforce BYOD access-based security policies. Establishing a BYOD strategy keeps companies safe from data breaches and other cybersecurity risks.
- Strong passwords and multi-factor authentication
By now, any company should use two-factor or multi-factor authentication. Not only should passwords be complex and diverse, but once a system was breached, they should all be reset.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;