Notice of Philips Respironics Data Breach

Pulmonary & Sleep Medicine Associates, LLP (“Pulmonary & Sleep”) is providing notice of a recent

security incident experienced by one of its third-party vendors, Philips Respironics, that may have affected certain information of Pulmonary & Sleep’s patients. 

According to Philips Respironics, on June 5, 2023, Philips Respironics was made aware of a security incident where an unauthorized third-party exploited a vulnerability in Progress Software’s MOVEit Transfer software to access information stored on a Philips Respironics server. Philips Respironics reported that it used the MOVEit Transfer Software as a system for exchanging files containing therapy data from sleep and respiratory devices. Philips Respironics stated that it immediately took steps to secure its systems and perform further investigation and analysis on the impact to its systems. The investigation by Philips Respironics indicated that, on May 31, 2023, an unauthorized third-party extracted files contained on an online server of Philips Respironics. 

On January 8, 2024, Philips Respironics notified Pulmonary & Sleep that the incident may have included some personal information of Pulmonary & Sleep’s patients. According to Philips Respironics, the types of information contained in the extracted files may have included name, address, date of birth, email address, phone number, health insurance policy number, patient ID, facility ID, setup date, device serial number, and modem serial number. Philips Respironics stated that, upon being notified by Progress Software of the vulnerabilities in the MOVEit Transfer software, it immediately implemented the security measures recommended by Progress Software and updated and patched its servers and software solutions. 

As a precautionary measure, Philips Respironics reported that it has suspended use of the MOVEit Transfer software and is continuing to work to ensure all appropriate security measures are in place to safeguard personal information. Philips Respironics is notifying affected patients for whom it had current contact information and arranged to provide credit monitoring and identity theft protection services at no charge to patients. Individuals who did not receive notification, but believe their information may have been impacted, can call the dedicated assistance line below. Any impacted patients are encouraged to enroll in the offer of free credit monitoring and remain vigilant against incidents of identity theft and fraud by reviewing account statements and monitoring free credit reports for suspicious activity regularly. 

Individuals who have questions about this third-party vendor incident, or who did not receive notification but believe their information may have been affected, can call (888) 541-7970, Monday through Friday, 9:00am to 9:00pm Eastern Time.