Jax firm’s health care data breach sparks legal action (Courtesy of the Jacksonville Business Journal) — When hackers broke into Jacksonville-based CPAP Medical Supplies and Services late last year, they didn’t just target a small health care supplier — they tapped into one of the most vulnerable and valuable sectors in the cyber world.
The breach, discovered in June but tied back to December 2024, underscores what cybersecurity experts like OnDefend CEO Chris Freedman have long warned: health care companies are prime targets for cybercriminals because of the sensitive troves of patient data they manage.
While CPAP says it has no evidence that personal information was misused, the incident has already triggered legal scrutiny and highlights the urgent need for continuous defense strategies that go beyond compliance checkboxes.
The organization, which provides sleep apnea equipment to patients, discovered June 27 that the breach happened between Dec. 13 and Dec. 21, notifying relevant individuals impacted on Aug. 15, according to a data notice posted to the company’s website this month.
On the heels of that announcement, Philadelphia-based law firm Edelson Lechtzin LLP said it was investigating a class action lawsuit to seek legal remedies for those whose sensitive data may have been compromised.
What happened at CPAP is far from isolated — it reflects a broader reality facing the health care industry, particularly in North Florida where the sector is both large and vital. Health care organizations store many forms of sensitive information, from financial records to personal identifiers, but it’s the health care-specific data that remains the “mother load” for cybercriminals, Freedman told the Business Journal. Hospitals and large providers are required to meet compliance standards and typically undergo annual cybersecurity audits. Yet even with those safeguards, Freedman cautioned against assuming compliance alone provides protection. “Compliance does not mean you’re necessarily cyber secure because things change,” he said. That gap between regulatory requirements and real-world threats is where OnDefend positions itself.
The Jacksonville-based firm specializes in preventative testing and advisory services, aiming to help clients move beyond the limits of once-a-year audits. This year, OnDefend launched its Ransomware Defense Validation, a program that continuously simulates cyberattacks to confirm that defenses are actually working against evolving threats. Delivered through OnDefend’s BlindSPOT system — which secured a patent for the technology Wednesday — the platform validates security tools in real time and alerts users when vulnerabilities emerge.
“Installing locks and alarms is one step,” Freedman said. “But what if every day someone from the home security company opened every door and window in your house to ensure the locks were preventing break-ins, the sensors were triggering, and the security team was responding in real time.”