CPAP Medical Supplies and Services, a sleep therapy equipment provider that highlights service to U.S. military personnel, disclosed a cyberattack that exposed the personal data of tens of thousands of customers. The company said cybercriminals breached its network between December 13 and December 21, 2024. Information CPAP submitted to the Maine Attorney General’s Office indicates more than 90,000 people were affected.
The incident adds to a continuing series of healthcare data breaches and underscores the sensitivity of records held by small, specialized vendors that serve military and government-linked populations. CPAP’s published breach notice and the company’s notification letters to impacted individuals provide the primary details available at this time.
Breach Overview and Timeline
According to CPAP’s breach notification, unauthorized access occurred during a nine-day window in December 2024. The company reported the incident to state authorities and initiated a formal investigation with external cybersecurity professionals. The notice states:
“We commenced a prompt and thorough investigation into the incident and worked very closely with external cybersecurity professionals experienced in handling these types of situations to help determine whether any personal or sensitive data had been compromised as a result of this incident.”
CPAP’s communications framed the event as an intrusion that allowed attackers to access data stored on its systems during that period. Beyond the December timeframe and the disclosure to the Maine Attorney General’s Office, CPAP has not released an exhaustive technical timeline or a public forensic report.
Scope of Exposed Data in CPAP Data Breach
The data elements CPAP reported as potentially accessed are broad and include both identity and protected health information. The company’s breach notice lists the types of information that may have been exposed and notes that the specific items vary by individual. Reported categories include:
- Customer names
- Social Security numbers (SSNs)
- Other identifiable protected health information and personal information related to individuals’ sleep therapy and services
CPAP did not indicate that financial account credentials or payment card numbers were part of the exposure in the notice summarized above. The company has told impacted individuals about the specific data elements observed for their records as part of the notification process.
Who CPAP Serves and Why That Matters
CPAP’s website emphasizes a focus on service members and veterans, and the company accepts Tricare, the U.S. Department of Defense’s health insurance program for military personnel. That user base helps explain why the breach may draw heightened concern: records connected to military beneficiaries can contain records and identifiers that are sensitive in both a medical and national security context.
The Maine Attorney General filing that provided the affected-person count underscores the regulatory process that follows healthcare breaches, where vendors must report incident scope and content to state authorities as part of consumer protection rules.
Potential Harms From Exposed Records
CPAP’s notice and typical consequences of comparable healthcare breaches point to several potential harms if data were misused. Although the company stated it has no indication of misuse to date, the possible impacts include:
- Identity Theft: SSNs and names can be combined to open fraudulent accounts or to impersonate victims in financial and administrative contexts.
- Spear-Phishing and Social Engineering: Attackers can craft convincing messages that reference patient care or provider interactions to elicit additional sensitive information.
- Medical Identity Theft: Exposed health data can be used to submit fraudulent insurance claims or to obtain prescription drugs under a stolen identity.
- Privacy and Reputational Risks: Sensitive medical details, if disclosed, can create personal privacy harms for patients and reputational concerns for service members and beneficiaries.
CPAP’s notification emphasizes that the exact risk profile depends on which data fields were accessed for each individual.
Company Response and Support for Impacted Individuals
CPAP said it engaged external cybersecurity specialists to investigate the incident, notified law enforcement and state regulators, and sent breach letters to affected individuals. The company indicated it would provide complimentary credit and identity monitoring services to those whose information was exposed. CPAP’s communications included an apology and statements about efforts to assess the incident and notify impacted people.
Healthcare Breach Trends and Industry Context
The CPAP data breach sits within a year-to-year trend of large-scale healthcare incidents. Industry reporting and aggregated breach research highlight that healthcare providers and their vendors are frequent targets because of the rich, high-value datasets they maintain. For context, searches of prior sector reporting show 2024 saw hundreds of millions of healthcare records exposed across multiple incidents. Such patterns have prompted regulators and purchasers to scrutinize third-party vendors that handle protected health information.
What Is Known and What Remains Unclear
Known facts from CPAP’s disclosures: the intrusion window (December 13–21, 2024), an affected-person count exceeding 90,000 in state filings, the types of data potentially accessed, and the company’s engagement of outside cybersecurity experts and notification efforts. Unclear items include the method of compromise, whether data exfiltration occurred versus viewing, the identity of the threat actor, and whether forensic analysis has revealed any downstream misuse beyond CPAP’s statement that no misuse is currently known.
CPAP’s breach highlights the persistent risks faced by healthcare vendors and the particular sensitivity when providers serve military populations. With over 90,000 individuals affected and a set of potentially exposed identifiers and protected health information, the incident represents a significant healthcare data breach in 2024. CPAP’s notification to regulators and to impacted customers forms the public record for now; further technical details and investigative findings may appear as authorities and external responders complete their work.
