Apria Healthcare says potentially 2M people caught up in IT security breach

No suprise

Apria feels like an insurance racket. Your insurance company tells you to go to Apria for supplies and you're on your own. There is my.apria.com for insurance covered supplies and www.apriadirect.com for non-insurance supplies. The two sites look similar and they make it easy to permanently transfer to the non-insurance version. Non-insurance prices are, of course, inflated and there is zero insurance reimbursement possible. Even if you know there are two sites and successfully remain on the insurance side of things, the co-pay might be the same as the market value of what you're buying.

"This financial information includes bank account and credit card numbers in combination with security codes, access codes, passwords and account PINs" - Last time I checked, banks prohibited the storage of security codes. They may exist only long enough to set up payment authorization, then they must be erased.

"the purpose of the unauthorized access was to fraudulently obtain funds from Apria" - What's more likely: crims trying to get money out of a company that makes money vanish, or crims using the banking information and auth codes they just stole?