New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits
A New York-based physician-owned provider of administrative services to anesthesiology firms is facing several class action lawsuits over a cyberattack and data breach that has affected at least 24 entities and involved the exposure and potential theft of the protected health information of more than 450,000 patients.
Anesthesiology firms started reporting data breaches to the Department of Health and Human Services’ Office for Civil Rights in September 2022, with the notification letters to patients indicating there had been a data breach at their anesthesia management services organization. The notification letters failed to name that company.
According to the notification letters, the management services organization detected the cyberattack on or around July 11, 2022, or July 15, 2022 – two templates were used by the affected firms that had different dates. The forensic investigation determined the attackers had access to parts of its system that contained the protected health information of patients, including names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.
At least five complaints have now been filed in the U.S. District for Southern New York against the management company – Somnia Inc. – over the data breach that allege the company was negligent for failing to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of patient information, that Somnia failed to comply with FTC guidelines and the HIPAA Rules and had not followed industry standards for data security.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Some of the lawsuits also take issue with the way the breach was reported due to the failure to mention Somnia Inc. by name in the notification letters, and in some cases, to fully disclose exactly what information had been compromised. One lawsuit took issue with Somnia Inc. only disclosing the breach as affecting 1,326 patients, when the breach was known to have affected more than 400,000 individuals at the time and suggested, “Somnia is trying to completely avoid any and all responsibility for the data breach and is using its local practices to obscure the identity of the responsible entity as well as to downplay the severity of the data breach.”
The lawsuits allege individuals affected by the HIPAA compliance breach now face an immediate and elevated risk of identity theft and fraud as a result of the negligence of Somnia, and seek class action status, damages, adequate credit monitoring and identity theft protection services, injunctive relief, and a court order that requires Somnia to implement enhanced security measures to ensure patient information is appropriately protected.
