Numotion
America's largest wheelchair provider exposed patient data—diagnoses, SSNs, and home addresses for mobility equipment users.
What happened?
Numotion, the largest provider of wheelchairs and complex rehabilitation technology in the United States, disclosed a data breach affecting over 275,000 individuals. The company provides mobility equipment to people with disabilities—one of the most vulnerable patient populations—and held detailed medical and personal information about their conditions and needs.
What data was actually inside?
Patient names, Social Security numbers, medical diagnoses, insurance information, equipment prescriptions, and home addresses. DME providers collect detailed medical documentation to justify equipment—diagnoses like ALS, muscular dystrophy, spinal cord injuries, and other conditions that qualify patients for wheelchairs.
The data identifies people with disabilities by name, address, and specific condition. It's a targeting list for those who would exploit vulnerable populations.
Who gets hurt and how?
People with mobility disabilities who needed wheelchairs. They're already dealing with significant health challenges; now their medical conditions are exposed. The data reveals who has progressive diseases, who is paralyzed, who depends on powered mobility equipment.
This population is particularly vulnerable to scams—attackers can impersonate equipment providers, insurance companies, or healthcare services. They know exactly what equipment people use and what conditions they have.
What did they think they were doing right?
Numotion is a major DME provider operating under HIPAA. They have compliance programs and handle Medicare/Medicaid billing—which requires security controls. They serve patients who depend on them for essential mobility equipment. Security should be fundamental to their operations.
DME providers handle sensitive PHI daily. The compliance requirements exist. The protections didn't work.
What did they not know about their own data?
Numotion didn't know how accessible their patient data was across their systems. DME companies collect extensive documentation for insurance justification—physician orders, medical records, functional assessments. This documentation accumulates over time, creating large repositories of sensitive information.
They knew they had patient records. They didn't know how exposed those records were until the breach revealed it.
What does attribution look like the morning after?
Notification to 275,000+ patients, many of whom face significant daily challenges already. Credit monitoring offers that require online navigation—potentially difficult for some patients. Explaining to disability advocacy groups why patient data was exposed. HHS OCR investigation under HIPAA.
For a company serving people with disabilities, the breach creates both legal liability and moral injury.
What would have changed the outcome?
Knowing where vulnerable patient data lives and protecting it accordingly.
If Numotion had mapped their data—patient diagnoses, SSNs, addresses—and understood they were holding a dataset identifying people with disabilities, they could have prioritized protection. This isn't just PHI; it's information about one of society's most vulnerable populations. They learned what they had when attackers found it.
Don't Learn What You Have From an Attacker
Numotion didn't know what patient data was at risk until the breach occurred. Risk Finder shows you first.
Start Your Risk Assessment