CPAP Medical Supplies and Services Inc. Data Breach 2025: 90,133 Affected, Including Military Members and Veterans. SSNs and PHI Exposed. What To Do.
CPAP Medical Supplies and Services Inc., a Jacksonville, Florida sleep-apnea equipment supplier that serves U.S. military families, active-duty service members, and veterans through TRICARE, filed a HIPAA breach notification with HHS OCR on August 15, 2025 reporting 90,133 affected individuals. Unauthorized actors had access to the network from December 13 to December 21, 2024, with discovery on June 27, 2025. Names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information were in scope. IDX credit monitoring offered. Multiple plaintiff firms have opened investigations.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 13, 2024
Earliest date of unauthorized access to the CPAP Medical network server
Dec 21, 2024
End of the unauthorized-access window
Jun 27, 2025
Forensic review completed; CPAP Medical confirms files containing identifiable PHI and PII were accessible during the December 2024 intrusion. Treated as the discovery date for breach-notification purposes.
Aug 15, 2025
Individual notification letters mailed. Filings submitted to HHS OCR and to state attorneys general (Maine, California, Washington, South Carolina, New Hampshire, Massachusetts among them).
Aug 15, 2025
HHS OCR breach report posted (90,133 affected, Healthcare Provider, Network Server, Hacking/IT Incident)
Dec 13, 2024
Earliest date of unauthorized access to the CPAP Medical network server
Dec 21, 2024
End of the unauthorized-access window
Jun 27, 2025
Forensic review completed; CPAP Medical confirms files containing identifiable PHI and PII were accessible during the December 2024 intrusion. Treated as the discovery date for breach-notification purposes.
Aug 15, 2025
Individual notification letters mailed. Filings submitted to HHS OCR and to state attorneys general (Maine, California, Washington, South Carolina, New Hampshire, Massachusetts among them).
Aug 15, 2025
HHS OCR breach report posted (90,133 affected, Healthcare Provider, Network Server, Hacking/IT Incident)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CPAP Medical Supplies and Services Inc. is a Jacksonville, Florida supplier of continuous positive airway pressure equipment and related sleep-apnea services. The company is a TRICARE network supplier, and its customer base is heavily weighted toward U.S. military families, active-duty service members, and veterans receiving CPAP therapy for obstructive sleep apnea. On August 15, 2025 the company filed a HIPAA breach notification with the HHS Office for Civil Rights reporting 90,133 affected individuals following an eight-day network intrusion in December 2024.
Timeline
- December 13 to December 21, 2024. An unauthorized actor had access to the CPAP Medical network. The Maine Attorney General notice records the incident as an external system breach at the network-server level (hacking/IT incident).
- June 27, 2025. CPAP Medical completes the forensic and document review and confirms that files containing identifiable protected health information and personal information were accessible during the intrusion window. This is the date the company treats as discovery for breach-notification purposes.
- August 15, 2025. Individual notification letters mailed. Filings made the same day with HHS OCR and with state attorneys general including Maine, California, Washington, South Carolina, New Hampshire, and Massachusetts. The HHS OCR portal lists the entity as a Healthcare Provider, location of breached information as Network Server, type of breach as Hacking/IT Incident.
The roughly six-month gap between the December 2024 intrusion and the June 2025 discovery, and the further eight-week gap between discovery and individual notification, are the two timing issues plaintiff firms have flagged in their investigations.
What was exposed
Per the company’s notice and the state-attorney-general filings, the data elements in scope include:
- Full name
- Date of birth
- Social Security number
- Patient identification number
- Financial and banking information
- Medical information (diagnoses, treatment plans, medical history)
- Health insurance information
The combination of SSN with financial-account information and PHI is the high-severity profile. It supports both new-account identity theft and targeted insurance fraud. The military, veteran, and TRICARE-beneficiary composition of CPAP Medical’s customer base adds operational-security risk on top of the financial-fraud exposure, particularly for active-duty service members whose home address and dependent information may now be in adversary hands.
What the entity is offering
CPAP Medical is offering complimentary credit monitoring and identity-theft protection through IDX to individuals whose Social Security numbers were among the impacted files. Enrollment instructions are included in the individual notification letter and the enrollment code is unique to each letter. The company has stated it is unaware of any misuse of patient data tied to the incident.
Class-action posture
No consolidated class-action complaint against CPAP Medical has been publicly docketed as of the date this page was last updated. Multiple plaintiff firms have announced investigations and are soliciting affected individuals: Levi & Korsinsky LLP, Schubert Jonckheer & Kolbe LLP, Federman & Sherwood, Strauss Borrelli PLLC, Abington Cole + Ellery, and Mason LLP. Likely claim theories, based on similar healthcare-breach litigation, will center on the gap between the December 2024 intrusion and the June 2025 discovery, the adequacy of network-security controls at a vendor entrusted with military health data, and the eight-month delay between intrusion and individual notification.
What to do if you may be affected
- Read the IDX enrollment instructions in your notification letter and activate the monitoring. The enrollment code is unique to your letter. Activation is the prerequisite for any remediation services later.
- Freeze your credit with Equifax, Experian, and TransUnion. Freezes are free, take roughly ten minutes per bureau, and block new-account fraud regardless of whether you enroll in monitoring.
- Watch your medical-insurance Explanation of Benefits statements. Because health-insurance information was in scope, medical-identity-theft risk is real and is not addressed by credit monitoring alone.
- For military and veteran beneficiaries: flag your TRICARE or VA file for unusual benefits or claims activity, and treat unexpected communications referencing your CPAP therapy, device shipments, or resupply orders as potentially malicious.
- Save your notification letter. It is the document a plaintiff firm will ask for if class-action litigation is later filed and consolidated.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record (Healthcare Provider, 90,133 affected, Network Server, Hacking/IT Incident, reported 2025-08-15).
- Maine Attorney General Data Breach Notification — official state filing with affected-count and timeline detail.
- HIPAA Journal: Cyberattack on Medical Equipment Provider Affects 90,000 Patients — established trade-press coverage with the canonical data-element list.
- SecurityWeek: CPAP Medical Data Breach Impacts 90,000 People — secondary trade-press confirmation including the company’s no-misuse statement.
- Malwarebytes: Troops and Veterans’ Personal Information Leaked in CPAP Medical Data Breach — military and veteran customer-base detail.
- ClassAction.org: CPAP Medical Data Breach Exposes Health Data; Attorneys Investigate — plaintiff-firm investigation tracker.
- Strauss Borrelli PLLC: CPAP Medical Data Breach Investigation — investigating-firm announcement.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Maine Attorney General Data Breach Notification
- HIPAA Journal: Cyberattack on Medical Equipment Provider Affects 90,000 Patients
- SecurityWeek: CPAP Medical Data Breach Impacts 90,000 People
- Malwarebytes: Troops and Veterans' Personal Information Leaked in CPAP Medical Data Breach
- ClassAction.org: CPAP Medical Data Breach Exposes Health Data; Attorneys Investigate
- Strauss Borrelli PLLC: CPAP Medical Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.