The HIPAA Guide - Celebrating Over 15 Years Online

Indiana Attorney General Alleges Apria Healthcare Violated HIPAA and State Laws

March 4, 2024HIPAA Breaches, Violations, and Fines0

HIPAA Fine Banner Health

Apria Healthcare is alleged to have failed to comply with the HIPAA Privacy, Security, and Breach Notification Rules and state laws in relation to a breach of the protected health information of 1.8 million individuals nationwide, and 42,000 Indiana residents.

Indiana Attorney General Todd Rokita filed a lawsuit that alleges a failure to implement reasonable and appropriate safeguards to reduce risks and vulnerabilities to electronic protected health information in violation of the HIPAA Security Rule, a violation of the HIPAA Privacy Rule for impermissibly disclosing the protected health information of 1.8 million individuals, and a violation of the HIPAA Breach Notification Rule for not issuing timely notifications to individuals affected by the data breach. The actions โ€“ or lack of actions โ€“ by Apria Healthcare are also alleged to have violated Indianaโ€™s Disclosure of a Security Breach Act and Deceptive Consumer Sales Act.

Indianapolis-based Apria Healthcare provides home healthcare equipment for sleep apnea and other conditions. In September 2021, the Federal Bureau of Investigation notified Apria Healthcare that evidence had been found to indicate a breach of its systems. Apria Healthcare investigated and confirmed a breach of its network and email accounts, and while it appeared that the purpose of the attack was to defraud Apria Healthcare, the protected health information of almost 1,870,000 individuals had been exposed and potentially stolen. The exposed information included names, birth certificates, financial information, Social Security numbers, and healthcare information.

Breach notifications must be issued to the affected individuals within 60 days of the discovery of a breach to comply with the HIPAA Breach Notification Rule and within 45 days to comply with state law, but notifications were sent 629 days after the breach was discovered. During that time, Apria Healthcare was acquired by Owens and Minor, which AG Rokita alleges was aware of the breach, yet failed to issue notifications for a year.

โ€œPatients should be able to trust their medical providers at all times,โ€ said Attorney General Rokita. โ€œAll Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, youโ€™re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.โ€

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2025 The HIPAA Guide. All rights reserved.