Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.
CPAP Medical Supplies and Services Inc.
CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.
After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Health Services LLC (Miracle Ear)
Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.
Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information…