A data breach at CPAP Medical Supplies went undetected for months, compromising Social Security numbers, medical records, and financial data.
What happened
On June 27, 2025, CPAP Medical Supplies and Services discovered a security breach that had occurred between December 13 and December 21, 2024. According to a filing with the Maine Attorney General’s office, the breach affected 90,133 individuals across the US. The exposed data includes Social Security numbers, dates of birth, government-issued IDs, financial details, and protected health information.
The breach was not immediately detected, and public notices suggest that the gap between intrusion and discovery may point to either a sophisticated attack or a failure in early threat detection.
What was said
CPAP Medical Supplies has not released technical details about the breach method or the specific systems affected. However, it has made a support line available for impacted individuals Monday through Friday, 9 a.m. to 9 p.m. Eastern Time. The company recommends that affected users follow the provided guidance on securing their financial and health records.
The big picture
According to SecurityWeek, “No known ransomware group appears to have taken credit for the attack on CPAP Medical.” The report noted it is possible the company was hit by actors who don’t publicly name victims, or that “the organization may have paid a ransom to avoid having stolen data leaked.” It added that compared to larger incidents in healthcare, this was “a relatively small healthcare-related data breach.”
FAQs
Why is medical information valuable to cybercriminals?
Medical data can be used to commit insurance fraud, create fake identities, or obtain prescription drugs illegally. Unlike credit card numbers, medical records can’t easily be changed or canceled.
What does IDX identity protection include?
IDX typically offers services such as credit monitoring, identity theft recovery, dark web monitoring, and insurance coverage for identity-related losses.
How long after a breach can fraud still occur?
Fraud can occur months or even years after the initial breach, especially when Social Security numbers and medical information are involved, making long-term vigilance needed.
Are companies legally required to notify individuals after a breach?
Yes. Under U.S. state data breach laws, companies must notify affected individuals and relevant state regulators if sensitive personal data has been exposed. The exact timeline varies by state.
Farah Amod
