Apria Healthcare, a major US home healthcare equipment provider (durable medical equipment, infusion therapy, oxygen therapy), disclosed in May 2022 that it had experienced two separate unauthorized access incidents. The first breach ran from 5 May to 5 August 2019; the second from 22 August to 10 October 2021. The 2019 breach was only discovered during the forensic investigation of the 2021 incident. Approximately 1.87 million patients were affected. Data exposed included names, Social Security numbers, financial account information, health insurance details, medical record numbers, and clinical information. The 2022 disclosure came nearly three years after the first breach. HHS OCR opened an investigation. Multiple class-action lawsuits were filed. Owens & Minor acquired Apria in 2022.