A data breach at CPAP Medical Supplies and Services, Inc., a Jacksonville, Florida-based defense contractor, exposed the sensitive personal and medical data of 90,133 military members, veterans, and their families. The unauthorized intrusion, discovered in late June (though occurring in December), compromised a wide range of information, including names, birth dates, Social Security numbers, patient IDs, health insurance details, medical histories, diagnoses, and treatment plans. The breach also impacted sleep data tracked by CPAP devices, which monitor users with obstructive sleep apnea.The company, which partners with Tricare (the military’s health insurer), is offering 12 months of free credit and identity monitoring to affected individuals. While notifications were sent in mid-August, the breach has been reported on data breach tracking sites for Maine, Massachusetts, and Washington but remains absent from the Texas Attorney General’s tracker and the U.S. Department of Health and Human Services (HHS) breach database. External cybersecurity experts are investigating the full scope of the compromise, though the delay in detection raises concerns about prolonged exposure of highly sensitive military-affiliated health records.
Source: https://dataconomy.com/2025/10/07/cpap-breach-exposes-data-of-90k-military-members/
TPRM report: https://www.rankiteo.com/company/cpap-medical-military-sleep-therapy
"id": "cpa4592645100725",
"linkid": "cpap-medical-military-sleep-therapy",
"type": "Breach",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 90133,
'industry': ['Healthcare', 'Defense'],
'location': 'Jacksonville, Florida, USA',
'name': 'CPAP Medical Supplies and Services, Inc.',
'type': 'Defense Contractor / Healthcare Provider'}],
'customer_advisories': 'Notification letters sent; 12 months of '
'credit/identity monitoring offered',
'data_breach': {'data_exfiltration': 'Likely (data accessed by unauthorized '
'actor)',
'number_of_records_exposed': 90133,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, medical '
'histories, and military-affiliated '
'data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Medical records',
'Sleep data']},
'date_detected': '2023-06-01T00:00:00Z',
'date_publicly_disclosed': '2023-08-15T00:00:00Z',
'description': 'A data breach at CPAP Medical Supplies and Services, Inc., a '
'Jacksonville, Florida-based defense contractor, exposed the '
'sensitive information of 90,133 military members, veterans, '
'and their families after an unauthorized intrusion into its '
'computer systems. The breach included personal and medical '
'data such as names, birth dates, Social Security numbers, '
'patient identification numbers, health insurance details, '
'medical histories, diagnoses, and treatment plans. The '
'incident occurred in December but was discovered in late '
'June, with notifications sent in mid-August. The company is '
'offering 12 months of complimentary credit and identity '
'monitoring services to affected individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive military and '
'veteran data',
'data_compromised': ['Names',
'Birth dates',
'Social Security numbers',
'Patient identification numbers',
'Health insurance details',
'Medical histories',
'Diagnoses',
'Treatment plans',
'Sleep data (from CPAP machines)'],
'identity_theft_risk': 'High (due to exposure of SSNs and personal '
'data)',
'systems_affected': ['Network environment']},
'initial_access_broker': {'high_value_targets': ['Military members',
'Veterans',
'PHI/PII data']},
'investigation_status': 'Ongoing (external cybersecurity professionals '
'investigating)',
'references': [{'source': 'CPAP Medical Supplies and Services, Inc. '
'Notification Letter'},
{'source': 'Maine Data Breach Notification Website'},
{'source': 'Massachusetts Data Breach Notification Website'},
{'source': 'Washington Data Breach Notification Website'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA '
'violations (PHI exposure)',
'State data breach '
'notification laws (Maine, '
'Massachusetts, '
'Washington)'],
'regulatory_notifications': ['Maine data breach '
'notification website',
'Massachusetts data '
'breach notification '
'website',
'Washington data '
'breach notification '
'website']},
'response': {'communication_strategy': 'Notification letters sent to affected '
'individuals; 12 months of '
'complimentary credit and identity '
'monitoring offered',
'incident_response_plan_activated': True,
'third_party_assistance': 'External cybersecurity professionals '
'engaged for investigation'},
'threat_actor': 'Unauthorized actor',
'title': 'Data Breach at CPAP Medical Supplies and Services, Inc.',
'type': ['Data Breach', 'Unauthorized Access']}