Your CPAP machine knows when you sleep, how long you sleep, whether your mask leaked, how many apnea events you had, and exactly how compliant you’ve been with therapy. It stores this data locally and, if you’re using a connected device, uploads it automatically to the manufacturer’s cloud servers.

This data collection serves legitimate medical purposes. It helps doctors monitor therapy effectiveness and troubleshoot problems remotely. But it also raises privacy questions that most CPAP users haven’t considered.

What Data Gets Collected

Modern CPAP machines record comprehensive usage information:

Basic usage: Hours of use per night, how many nights you used it, total runtime over weeks and months.

Therapy data: AHI (apnea-hypopnea index), central vs obstructive events, pressure settings and adjustments if using an auto-titrating machine.

Mask performance: Leak rates, large leak events, mask-off events.

Breathing patterns: Respiratory rate, minute ventilation, inspiratory time, periodic breathing events.

Device performance: Motor runtime, pressure delivery accuracy, humidifier usage, any device errors or alerts.

Some premium machines also track sleep stages, body position, and snoring intensity. The level of detail is remarkable.

Where Does This Data Go

If your CPAP has cellular or Wi-Fi connectivity (most devices sold in the past 3-4 years do), it automatically uploads usage data to the manufacturer’s cloud platform — ResMed’s myAir, Philips’ DreamMapper, Fisher & Paykel’s InfoSmart.

From there, your sleep doctor or clinic can access it. They review compliance reports, check therapy effectiveness, and make adjustments without requiring you to come in for an appointment.

But it doesn’t stop there. Depending on your healthcare system and insurance situation, this data may also go to:

Insurance companies: In the USA particularly, Medicare and private insurers require CPAP compliance data to continue covering equipment and supplies. You need to use your machine at least 4 hours per night for 70% of nights in the first 90 days to maintain coverage. The insurance company checks your usage data directly.

DME suppliers: The durable medical equipment company that provided your CPAP typically has access to your usage data to verify compliance and manage supplies.

Research databases: Aggregated, de-identified data from millions of CPAP users feeds into sleep research and device improvement efforts. This isn’t inherently bad, but you probably didn’t explicitly consent to it when you signed up.

Australian Privacy Context

Australia’s privacy landscape is different from the USA. We don’t have the same insurance-driven compliance monitoring, so there’s less third-party pressure on data access.

But Australian users still have CPAP machines that collect and upload data to manufacturer servers, often hosted overseas. That data is subject to foreign privacy laws and corporate policies, not just Australian regulations.

The manufacturer’s privacy policy governs how your data is used, shared, and retained. Most people never read these policies. They’re long, legalistic, and deliberately vague about exactly what might happen to your data.

Can You Opt Out of Data Upload

Technically yes, practically it’s complicated.

Most connected CPAP machines let you disable wireless data transmission. You access a settings menu on the device and turn off cellular/Wi-Fi. Your data stays local on the machine’s SD card.

But if you do this, your doctor can’t access your data remotely. You need to physically bring your SD card or machine to appointments for data download. This is less convenient and might delay therapy adjustments.

Some sleep clinics strongly encourage or even require connected monitoring as part of their treatment protocol. Opting out might complicate your relationship with the clinic.

And if you’re in a system where insurance companies require compliance data (like USA Medicare), opting out of wireless transmission can jeopardize your coverage.

Security Concerns

Medical device cybersecurity is… not great. CPAP machines aren’t pacemakers or insulin pumps where remote hacking could immediately harm patients, but they’re still networked medical devices collecting sensitive health data.

ResMed and Philips Respironics both had security vulnerabilities disclosed in their connected CPAP platforms over the past few years. These were patched, but they illustrate that the devices aren’t immune to cybersecurity problems.

The bigger risk isn’t someone hacking your individual CPAP. It’s breaches of the manufacturer’s central database where millions of patients’ data is stored. If that happens, your sleep data could leak alongside personally identifying information.

Data Retention and Deletion

How long do manufacturers keep your CPAP usage data? Usually indefinitely, unless you specifically request deletion.

The data has ongoing value for research, device improvement, and as a record of your historical therapy. But there’s no technical reason it needs to be retained forever.

If you stop using CPAP or switch to a different manufacturer, your old data sits on servers potentially forever. Most privacy policies allow manufacturers to retain de-identified data even if you request deletion of personal identifiers.

Third-Party Apps and Integrations

CPAP data platforms sometimes integrate with other health apps and services. ResMed’s myAir can connect to Apple Health, Google Fit, and other wellness platforms.

Every integration is another point where your data flows. Each connected service has its own privacy policy and data practices. The more places your data goes, the less control you have over it.

Some users find value in consolidated health tracking. Others prefer to keep CPAP data siloed and not share it with general fitness platforms.

What You Can Do

Read the privacy policy for your CPAP manufacturer’s connected platform. Yes, it’s boring and long. Do it anyway. Understand what’s being collected, where it goes, and who has access.

Ask your sleep clinic what happens to your data. Who sees it besides your doctor? Is it shared with researchers? With the device supplier? With anyone else?

Consider local-only data storage if you’re comfortable with manual data downloads at appointments and don’t need remote monitoring. This keeps data on your SD card instead of in the cloud.

Check your account settings on the manufacturer’s platform. Some allow you to restrict certain data sharing or integrations. Options are limited, but there might be some control available.

Request data deletion if you stop using CPAP or switch manufacturers. Whether they actually delete it depends on their policy, but asking creates a record of your request.

The Tradeoff

Connected CPAP monitoring provides genuine benefits. Remote troubleshooting catches problems early. Compliance tracking helps maintain therapy discipline. Longitudinal data helps doctors optimize treatment.

But those benefits come with privacy and security tradeoffs. Your sleep data and breathing patterns are being collected, uploaded, stored indefinitely, and potentially shared in ways you didn’t explicitly agree to.

For most users, the medical benefits probably outweigh the privacy concerns. CPAP therapy works, and connected monitoring makes it work better.

But you should know what you’re trading. Informed consent means understanding that your CPAP isn’t just treating sleep apnea — it’s generating a detailed data trail of your nightly breathing patterns that will exist on corporate servers for years.

That might be fine with you. It might not be. But either way, it’s happening, and most CPAP users have no idea how much data their machine is collecting and where it’s going.