CPAP Medical Data Breach Impacts 90,133 Individuals: SSNs Exposed

On June 27, 2025, CPAP Medical Supplies and Services discovered a major data breach that occurred over several days, from December 13th to 21st, 2024. According to the disclosure filed with the Maine Attorney General's office, a total of 90,133 individuals in the United States, including 133 Maine residents, are affected.

According to the public notice on its website, the breach exposed sensitive information including Social Security numbers and protected health information.

The breach was not immediately detected; it took several months before the company identified the unauthorized activity. While the exact method of intrusion has not been detailed in public disclosures, the extended window between the breach and its discovery suggests a sophisticated attack or a lapse in monitoring.

CPAP Medical Supplies and Services formally notified affected individuals in writing on August 15, 2025, including to the California Attorney General's office.

CPAP Medical Supplies' response

For those impacted, the company is offering complimentary credit monitoring and identity protection services through IDX. Affected individuals are encouraged to activate these services using the enrollment information provided in their notification letter. The company’s response line is available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time, for anyone seeking further information.

Given the exposure of Social Security numbers and health information, individuals should remain vigilant in monitoring their financial accounts and credit reports for any unusual activity. The company’s notice provides guidance on how to request free credit reports, place fraud alerts, and initiate security freezes with the major credit bureaus. It also includes tips for protecting medical information, such as reviewing explanation of benefits statements and contacting insurance providers about unfamiliar claims.