Medical supplier Apria sued over massive data breach
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowAn Indianapolis-based supplier of oxygen kits, nebulizers and other home health care products is being sued in connection with a massive data breach of personal information and for waiting more than 18 months to report it.
At least six separate lawsuits have been filed this month in U.S. District Court in Indianapolis against Apria Healthcare LLC. Most of the suits are seeking class-action status on behalf of the 1.8 million people whose information was hacked by an unauthorized third party. The hacked information included private and financial information.
Apria notified authorities of the data breach on May 22. But the lawsuits say the company waited too long. The breaches occurred between April 2019 and October 2021. Apria said it discovered the breach on Oct. 1, 2021.
Indiana’s data breach notification law requires companies to disclose breaches “without unreasonable delay but no more than 45 days after the discovery of the breach.”
Apria was bought last year by global health care products distributor Owens & Minor Inc. of Richmond, Virginia, for about $1.6 billion.
A customer-service representative at Apria’s Indianapolis office referred questions to Owens & Minor’s corporate headquarters. The corporate office did not immediately respond to an email or phone call from IBJ on Friday.
Apria moved its headquarters to Indianapolis in 2022 from Los Angeles.
Several of the lawsuits say that Apria delayed disclosure to artificially bolster its valuation in its acquisition, which closed March 29, 2022.
Many of the suits claim negligence, invasion of privacy, breach of contract and unjust enrichment. Neither Apria nor Owens & Minor have yet filed responses to the lawsuits.