A physician-owned company offering administrative services to anesthesiology companies in New York is facing multiple class action lawsuits because of a cyberattack and data breach, which has impacted about 24 entities. The incident led to the exposure and possible theft of over 450,000 patients’ protected health information (PHI).
The Department of Health and Human Services’ Office for Civil Rights began receiving data breach reports from Anesthesiology companies in September 2022. The notification letters sent to patients mentioned the occurrence of a data breach at their anesthesia management services provider but without giving the name of the company.
Based on the notification letters, the management services provider discovered the cyberattack around July 11, 2022, or July 15, 2022. The affected companies used two templates with varied dates. The forensic investigation confirmed the attackers got access to areas of its system that held the PHI of patients, such as names, birth dates, driver’s license numbers, Social Security numbers, financial account details, medical insurance policy numbers, Medicaid/Medicare IDs, medical record numbers, and medical data, which includes diagnosis and treatment details.
The management firm Somnia Inc is currently facing around five complaints that were filed in the U.S. District for Southern New York because of the data breach. Allegedly, Somnia was negligent for not implementing proper safety measures to protect the integrity, confidentiality, and availability of patient data. It did not comply with FTC rules and HIPAA Regulations and hadn’t adopted industry requirements for data security.
A few of the lawsuits likewise complain about how the breach was reported, that is, failing to bring up the name of Somnia Inc. in the notification letters. Also, in certain instances, to completely make known precisely what data was exposed. One lawsuit alleged that Somnia Inc. only reported the breach as impacting 1,326 patients, when the fact is there were over 400,000 individuals that were affected by the breach. Somnia is attempting to entirely escape any and all accountability for the security breach and is utilizing its local tactics to hide the identity of the accountable entity and to downplay the seriousness of the data breach.
The lawsuits claim people impacted by the breach currently face a sudden and increased risk of identity theft and fraud due to the disregard of Somnia, and want class-action status, compensation for loss, injunctive relief, sufficient credit monitoring and identity theft protection services, and a court order that calls for Somnia to employ better security procedures to make sure patient data is adequately secured.