Indiana AG Sues Apria Healthcare for Data Breach(ing HIPAA Duties)

  • Indiana AG Todd Rokita sued home healthcare equipment and services provider Apria Healthcare, LLC for allegedly failing to investigate and inform consumers regarding data breaches beginning in 2019 in violation of state data security and consumer protection laws and Health Insurance Portability and Accountability Act (HIPAA) rules.
  • According to the complaint, Apria allegedly failed to implement HIPAA policies and procedures to safeguard protected health information (PHI), failed to detect unauthorized access to its network in 2019 and 2021, failed to restrict access to its website through which consumers could submit PHI and personal information after it became aware that there was an intruder in its system, and failed to inform over 1.8 million affected consumers nationwide of the breach until 2023.
  • The lawsuit seeks injunctive relief, civil penalties, attorney’s fees and costs, and restitution, among other relief.