10 Min Read

•

Aug 26, 2025

Apria Healthcare Data Breach Class Action Settlement June 2025

Summarize & Ask Questions About This Post With AI:

ChatGPT Perplexity Claude Grok Google AI

Apria Healthcare has reached a $6.4 million settlement for data breaches occurring in 2019 and 2021 that exposed 1.9 million individuals‘ personal information. You’re eligible if you received a breach notification. Claims must be filed by October 22, 2025, with reimbursements up to $2,000 for documented losses including identity theft expenses and time spent resolving issues. The consolidated class action addressed negligence in security practices. Further details may greatly impact your potential compensation.

Table of Contents

Key Takeaways

Apria Healthcare reached a $6.4 million settlement for data breaches affecting 1.9 million individuals in 2019 and 2021.
Affected individuals can claim up to $2,000 for documented losses with submission deadline of October 22, 2025.
Settlement eligibility requires having received breach notices from 2019 or 2021 incidents.
Individuals must decide by September 22, 2025 whether to opt out for separate legal action.
The settlement addresses consolidated lawsuits across six states in the Southern District of Indiana federal court.

Timeline of the Apria Healthcare Data Breach Events

While Apria Healthcare’s data security incidents span multiple years, the timeline reveals a concerning pattern of breaches beginning in April 2019, when initial unauthorized access compromised customer and employee data. This initial breach exploited system vulnerabilities, allowing sustained unauthorized access.

In 2021, a second breach occurred, further exposing sensitive information. Despite these significant data security failures, Apria didn’t notify the 1.9 million affected individuals until May 2023—years after the initial compromise.

Most recently, in March 2025, a physical document mishandling incident exposed PHI of 713 individuals, who were promptly notified by March 28, 2025. This latest breach differs from earlier cybersecurity incidents but highlights ongoing breach prevention challenges within the organization’s security infrastructure, both digital and physical. The incident follows a troubling trend where healthcare organizations have experienced an alarming rise in cyberattacks targeting sensitive patient information. The recent data breaches have now been consolidated into a single lawsuit in Indiana with a settlement of $6.4 million. The settlement amount of $6.3 million demonstrates the significant financial impact of these data breach claims. Court documents show that the compromised information included personal, medical, health insurance, and financial data of patients. Affected individuals are encouraged to contact Srourian Law Firm for guidance on potential legal avenues available following this breach.

Scope and Scale of Affected Information

The Apria Healthcare data breach exposed personally identifiable information of nearly 2 million patients and employees across multiple states, comprising names, addresses, contact details, and in limited cases, Social Security numbers. Your sensitive healthcare records, including treatment specifics and health insurance information, were potentially accessed during the two separate unauthorized access periods occurring in 2019 and 2021. Your financial information was compromised, creating substantial risk for identity theft and financial fraud, though Apria has subsequently offered complimentary identity protection services as part of its $6.4 million settlement. The breach was discovered with unauthorized access occurring on September 1, 2021. The company operates with approximately 280 branch locations across the United States, making this breach particularly widespread. Investigators determined the hackers were primarily seeking to fraudulently obtain funds rather than steal personal data. The second data breach was only disclosed in May 2023, almost two years after the incident occurred.

Massive Data Exposure Breakdown

Apria Healthcare’s dual data breaches constituted one of the most extensive healthcare data exposures in recent years, compromising sensitive information of 1,869,598 patients and employees nationwide. Your personal and financial security may have been severely compromised due to inadequate data protection protocols and cybersecurity measures. Affected individuals are eligible for up to $2,000 compensation through the recently announced class action settlement.

Breach Period	Exposed Data	Potential Impact
Apr-May 2019	SSNs, Financial Details	Identity Theft Risk
Aug-Oct 2021	Health Insurance Info	Medical Fraud Exposure
Both Periods	Personal Identifiers	Ongoing Privacy Violation

The unauthorized access spans multiple categories of sensitive information, including your Social Security numbers, bank account details, and health insurance information. This thorough exposure leaves you vulnerable to identity theft, financial fraud, and healthcare scams, with notification delays of 20 months exacerbating your risk.

Personal Health Records Compromised

Staggering in scope, the personal health records compromised during Apria Healthcare’s dual data breaches encompass critical medical identifiers that you’d reasonably expect to remain confidential.

Your exposure includes medical device descriptions documented in patient records, account numbers, service dates, and health insurance information—all fundamental aspects of patient confidentiality. While direct medical diagnoses weren’t explicitly targeted, the compromised elements provide sufficient context about your healthcare utilization patterns.

The breaches, occurring over two distinct periods (April-May 2019 and August-October 2021), affected nearly 1.9 million individuals whose data protection rights were violated. Unauthorized users gained access to systems containing Social Security numbers and other sensitive personal information. Apria Healthcare notified affected individuals and offered complimentary identity protection services to mitigate potential harm from the exposure. Forensic analysis confirmed unauthorized access targeting your financial information alongside these health records. As a member of this affected class, you should understand that while treatment details weren’t primarily compromised, the exposed healthcare identifiers represent significant privacy violations under HIPAA standards.

Multi-State Information Impact

Nationwide in scope, your compromised information extends across multiple jurisdictions following Apria Healthcare’s dual breaches, creating a complex legal and regulatory landscape that compounds liability issues. With 1.8+ million affected individuals across Apria’s 280 locations, your data vulnerability transcends state boundaries while triggering various state regulations.

Your personally identifiable data (names, addresses, contact details) combined with financial information creates heightened identity theft risks
Medical records and health insurance information exposure introduces specific privacy concerns under HIPAA frameworks
Social Security numbers of both patients and employees represent the most severe category of compromised data

The multi-state litigation involving Indiana, California, Illinois, Washington, Missouri, and New York demonstrates how your information’s exposure triggered widespread regulatory scrutiny, with each jurisdiction applying its own consumer protection standards to your compromised data. The $6.3 million settlement represents a significant financial commitment to address the data security negligence that led to these extensive breaches.

Settlement Compensation Details and Eligibility

Following the landmark data breach incidents affecting Apria Healthcare, eligible individuals can now pursue compensation through a structured settlement program that’s been established with specific criteria and monetary limitations.

You’re eligible if you received breach notices for the 2019 or 2021 incidents and haven’t already settled. The $6.4 million fund provides reimbursement for documented expenses including fraud losses, credit monitoring fees, and breach mitigation costs up to $2,000 per claimant. Your claim submission must include supporting documentation and be filed by October 22, 2025.

The reimbursement process operates on a pro rata basis after attorneys’ fees (33%) and service awards ($50,000) are deducted. The breaches exposed approximately 1.87 million individuals to potential identity theft and privacy violations. Remember, payment amounts aren’t guaranteed and depend on total participation and remaining funds.

How to File a Claim Before the October Deadline

Maneuvering through the Apria Healthcare data breach claim process requires adherence to strict deadlines and documentation requirements established under the settlement agreement. Your claim submission must be completed by October 22, 2025, with no exceptions for late filings.

Submit via the claims administrator website or mail-in option using the address provided on the settlement portal
Attach required documentation proving breach-related expenses, including receipts, bank statements, or credit reports showing unauthorized activity
Retain copies of your submitted materials and the original Apria breach notice

Eligible class members can receive up to up to $2,000 for documented monetary losses directly resulting from the data breach. Following claim submission, monitor the settlement website for processing updates. Remember to update your contact information if it changes to guarantee receipt of compensation following the November 4, 2025 final approval hearing.

Legal Proceedings and Consolidated Lawsuits

You’re examining a complex legal consolidation that merged multiple class action lawsuits across six states into a single proceeding in the U.S. District Court for the Southern District of Indiana. The consolidated litigation addresses allegations spanning negligence, breach of contract, breach of fiduciary duty, and violations of consumer protection laws related to two distinct data breaches affecting nearly 1.9 million individuals. The $6.375 million settlement structure strategically allocates funds between direct reimbursement claims (up to $2,000 per claimant) and pro rata distributions, while parallel proceedings by the Indiana Attorney General remain active despite the class action resolution.

Class Action Consolidation

Due to the complexity and widespread impact of Apria Healthcare’s data breaches, multiple lawsuits were consolidated in October 2023 at the U.S. District Court for the Southern District of Indiana. This consolidation combines claims from both the 2019 and 2021 breach incidents, affecting nearly 1.9 million individuals nationwide under federal jurisdiction.

The class action benefits and legal implications of this consolidation include:

Streamlined legal proceedings for more efficient resolution
Uniform application of legal standards across all affected parties
Enhanced negotiating leverage leading to the $6.375 million settlement fund

This strategic consolidation creates a collective avenue for redress while maintaining your individual right to opt out by September 22, 2025, should you wish to pursue separate legal action regarding the unauthorized access to your personal data. Affected members can seek compensation for out-of-pocket losses up to $2,000 per person with proper documentation.

Multiple State Involvement

While the Apria Healthcare data breach litigation initially emerged from incidents in Indiana, the legal proceedings rapidly expanded to encompass multiple state jurisdictions with varying legal standards and statutory requirements.

The consolidated federal action in the Southern District of Indiana now includes state claims from California (CCPA violations), Illinois (BIPA concerns), Washington, Missouri, and New York. Each jurisdiction contributed distinct legal theories regarding privacy invasion and consumer protection standards. State-mandated breach notifications formed a critical component of the litigation, with plaintiffs alleging insufficient or delayed disclosures.

Though the federal settlement supersedes most state-level tort actions, the Indiana Attorney General’s separate enforcement proceeding remains active. The settlement structure accounts for state-specific damages and remedies, ensuring equitable compensation regardless of your residence. Eligible individuals must submit Approved Claims by the deadline to receive compensation for losses or expenses.

Settlement Structure Analysis

Following the consolidation of multiple lawsuits into a single class action in October 2023, the Apria Healthcare data breach settlement has evolved into a thorough $6.4 million resolution framework administered through the U.S. District Court for the Southern District of Indiana. The settlement structure offers compensation addressing both the 2019 and 2021 breach incidents affecting approximately 1.8 million individuals nationwide.

Settlement fairness analysis reveals attorneys seek 33% of funds plus expenses
Class members can receive up to $2,000 for documented, unreimbursed expenses
Remaining funds distribute pro rata after fees and claims processing

While the settlement proceeds without admission of wrongdoing by Apria, class member feedback has been considered in structuring the compensation tiers. The case follows a pattern similar to other data breach incidents where sensitive patient information was compromised due to inadequate security measures. The court’s November 2025 approval hearing will determine if this resolution adequately addresses the compromised personal, medical, and financial data.

Security Vulnerabilities That Led to the Breach

The security vulnerabilities that precipitated Apria Healthcare’s data breach exemplify a cascade of systemic failures across multiple defensive layers. The company’s infrastructure fell victim to sophisticated phishing tactics in both 2019 and 2021, enabling unauthorized access to systems containing protected health information for over 1.8 million individuals.

These cybersecurity failures weren’t isolated incidents but rather symptoms of deeper organizational deficiencies. You’ll note the alarming pattern: inadequate network monitoring delayed breach detection; unpatched systems created exploitable weaknesses; and insufficient staff training left employees vulnerable to business email compromise. Like many healthcare providers in June 2025, Apria’s breach was part of a troubling trend showing a 16.67% increase in healthcare data breaches month-over-month. Physical security lapses compounded these issues, as evidenced by the 2025 incident exposing 713 patients’ records through improperly secured documents. The recurring breaches across multiple years demonstrate that Apria failed to implement appropriate security measures despite clear warning signs.

Industry Impact and Lessons for Healthcare Organizations

Apria Healthcare’s massive data breach has sent shockwaves across the healthcare industry, creating a watershed moment that’s reshaping cybersecurity protocols nationwide. As a healthcare provider, you’re now witnessing stricter compliance expectations and heightened patient trust concerns following this $6.37M settlement.

The case offers critical lessons you’ll need to implement:

Deploy real-time monitoring systems that can detect unauthorized access within hours, not months
Establish thorough third-party vendor audit procedures to prevent similar exploitation vectors
Implement encryption standards for all portable devices containing patient data

The lack of proper encryption on the stolen laptop directly contributed to the exposure of thousands of patients’ sensitive information. With 1.86 million individuals affected across two breaches, your organization must recognize that robust cybersecurity strategies aren’t optional—they’re essential for survival. This incident follows the concerning pattern of hacking incidents surging by 239% from 2018 to 2023 across the healthcare sector. The financial and reputational consequences of similar failures could prove catastrophic for your practice in today’s liability-focused healthcare environment.

Frequently Asked Questions

Can I Claim if I Never Received a Notification Letter?

You’re likely ineligible without proof of notification, as claim eligibility depends on documented inclusion in the notification process. Contact the settlement administrator to verify your status before submission.

Will This Settlement Affect My Health Insurance Coverage With Apria?

No, your health insurance coverage won’t be affected. The settlement impact is limited to addressing past data breaches through financial compensation, not altering your existing healthcare services or benefits.

How Is Identity Theft Protection Being Handled for Affected Minors?

Your minor protection requires parental action to claim identity monitoring benefits. You’ll need to file eligible minors’ claims by October 22, 2025, documenting their exposure and any resulting expenses you’ve incurred.

Are Former Apria Employees Eligible for Compensation?

Yes, your former employee rights include compensation eligibility if you received Apria’s breach notification. You’re entitled to the same benefits regardless of your employment status during the 2019/2021 incidents.

What Tax Implications Might Result From Receiving Settlement Payments?

You’ll likely face settlement taxation on received payments. Taxable portions must be reported as income with proper payment reporting. Attorney fees may be deductible, but won’t eliminate your overall tax liability.

References