In December 2024, CPAP Medical Supplies and Services Inc., a Jacksonville-based provider of sleep therapy services and CPAP machines, suffered a cybersecurity breach compromising the personal data of over 90,000 patients, primarily military members, veterans, and their families. An unauthorized actor accessed the network between December 13–21, 2024, exfiltrating sensitive information including full names, birth dates, Social Security numbers, health insurance details, medical histories, and treatment plans. The breach remained undetected until June 2025, with notifications sent by mid-August. While no confirmed misuse of data has been reported, the exposure poses severe risks including identity theft, fraud, blackmail, compromised benefits eligibility, and erosion of trust in healthcare providers given the victims' military affiliations. The company offered free credit monitoring and identity theft protection as a precautionary measure, but the long-term consequences for affected individuals remain critical.
TPRM report: https://www.rankiteo.com/company/cpap-medical-military-sleep-therapy
"id": "cpa1332613100725",
"linkid": "cpap-medical-military-sleep-therapy",
"type": "Breach",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '90,000+ (primarily military '
'members, veterans, and their '
'families)',
'industry': 'Medical Supplies and Sleep Therapy '
'Services',
'location': 'Jacksonville, Florida, USA',
'name': 'CPAP Medical Supplies and Services Inc.',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Affected individuals advised to: change passwords, '
'enable 2FA, monitor for phishing, avoid storing card '
'details, and enroll in identity monitoring.',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '90,000+',
'personally_identifiable_information': ['Full names',
'Birth dates',
'Social Security '
'numbers',
'Health insurance '
'information'],
'sensitivity_of_data': 'High (includes SSNs, medical history, '
'and health insurance details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-06-30',
'date_publicly_disclosed': '2025-08-15',
'description': 'In December 2024, CPAP Medical Supplies and Services Inc. '
'(CPAP), a Jacksonville a Florida-based provider of sleep '
'therapy services and CPAP machines experienced a '
'cybersecurity incident that compromised the personal data of '
'over 90,000 patients, primarily military members, veterans, '
'and their families. An unauthorized actor accessed CPAP’s '
'network between December 13 and December 21, 2024. The breach '
'wasn’t discovered until late June 2025, and affected parties '
'were notified by mid-August. The stolen data includes full '
'names, birth dates, Social Security numbers, health insurance '
'information, medical history, and treatment plans. While CPAP '
'reports no known misuse of the data, affected individuals '
'were offered free credit monitoring and identity theft '
'protection.',
'impact': {'brand_reputation_impact': 'High (trust in healthcare providers '
'eroded, especially among military '
'personnel and families)',
'data_compromised': ['Full names',
'Birth dates',
'Social Security numbers',
'Health insurance information',
'Medical history',
'Treatment plans'],
'identity_theft_risk': 'High (personal and health data exposed, '
'risk to security, benefits eligibility, '
'and future job applications)'},
'initial_access_broker': {'high_value_targets': 'Military members, veterans, '
'and their families (due to '
'sensitive personal and '
'health data)'},
'investigation_status': 'Ongoing (no known misuse of data reported as of '
'disclosure)',
'post_incident_analysis': {'corrective_actions': 'Offered credit monitoring '
'and identity theft '
'protection; communicated '
'protective measures to '
'affected individuals.'},
'recommendations': ['Change passwords and use strong, unique credentials '
'(preferably via a password manager).',
'Enable two-factor authentication (2FA), ideally with '
'FIDO2-compliant hardware keys.',
'Beware of phishing attempts impersonating the vendor or '
'using urgent themes (e.g., missed deliveries, account '
'suspensions).',
'Avoid storing payment card details on websites.',
'Set up identity monitoring to detect illegal trading of '
'personal information.',
'Verify the identity of anyone contacting you about the '
'breach via official channels.'],
'references': [{'source': 'CPAP Medical Supplies and Services Inc. Public '
'Advisory'}],
'response': {'communication_strategy': 'Personalized notifications to '
'affected patients; public advisory on '
'protective measures (password '
'changes, 2FA, phishing awareness)',
'incident_response_plan_activated': 'Yes (notifications sent to '
'affected patients, credit '
'monitoring offered)',
'remediation_measures': 'Offered free credit monitoring and '
'identity theft protection to affected '
'individuals'},
'stakeholder_advisories': 'Personalized notifications sent to affected '
'patients; general advisory on protective measures '
'published.',
'threat_actor': 'Unauthorized actor',
'title': 'CPAP Medical Supplies and Services Inc. Data Breach (December 2024)',
'type': 'Data Breach'}