A data breach at a sleep diagnostics tech vendor has compromised sensitive patient records across nearly a dozen healthcare providers.
What happened
Compumedics USA Inc., a provider of sleep diagnostics and research technologies, confirmed that its network was breached by an unauthorized third party earlier this year. The intrusion disrupted its IT systems and exposed sensitive data from patients connected to several healthcare clients.
The breach lasted from February 15 to March 23, 2025, and was discovered on March 22. A file review completed in mid-May revealed that stolen data included names, birth dates, medical record numbers, diagnoses, treatment information, and sleep study results. In some cases, Social Security numbers were also compromised.
Compumedics began notifying affected healthcare providers on April 29 and started issuing patient letters in late June.
Going deeper
Compumedics works with sleep clinics and healthcare systems to support diagnosis and treatment of sleep disorders. The breach affected at least 11 provider clients:
- Bermuda Sleep & Signature Services
- Hope Healthcare
- Bronson Healthcare Group
- Chest Medicine Associates PA
- Billings Clinic
- Davis Medical Center
- Northern Light AR Gould
- Northern Light Eastern Maine Medical Center
- Northern Light Sebasticook Valley Hospital
- VCU Health System Authority
- Vitalcare Family Practice
Northern Light Health issued its own statement clarifying that only Compumedics systems were affected, not its internal infrastructure. Compumedics has since strengthened its security and offered credit monitoring to patients whose Social Security numbers were exposed.
What was said
The company noted that the unauthorized access involved data being copied from its systems, not ongoing system control or encryption. Compumedics engaged external cybersecurity specialists and says it has completed employee retraining and added more advanced safeguards. Affected patients were advised to watch for suspicious activity and review their insurance statements carefully.
The big picture
Vendors with access to sensitive medical information continue to face growing pressure from cyber threats. Although the breach was limited to Compumedics systems, the exposure affected multiple healthcare providers and their patients. The incident points to the need for stronger oversight of vendor security practices, particularly when patient data is stored or processed outside the primary organization’s infrastructure.
FAQs
Why do sleep study providers need a vendor like Compumedics?
Vendors like Compumedics offer specialized tools and software to conduct and analyze sleep studies, which many healthcare providers do not develop in-house.
How does the breach affect patients at different hospitals if the vendor was compromised, not the hospital?
Hospitals often rely on external vendors to host or process parts of patient records. If a vendor’s system is breached, data belonging to multiple hospitals can be exposed even if the hospitals’ own systems remain secure.
What is a substitute breach notice?
A substitute breach notice is a public notice issued when individual patients cannot all be reached directly, often due to incomplete contact details or volume of affected individuals.
Is this breach required to be reported under HIPAA?
Yes. If patient health information is compromised, both the vendor and the healthcare providers must follow HIPAA breach notification rules, including reporting to the Department of Health and Human Services.
What should affected patients do now?
Patients are encouraged to enroll in any identity protection services offered, monitor medical bills and insurance statements, and report any suspicious activity to their provider or insurer.
Farah Amod
