Patients of anesthesia medical practices affiliated with Somnia Inc. have filed four class action lawsuits accusing the Harrison medical management company of negligence in a massive data breach.
Five individuals from California and Texas filed the complaints in U.S. District Court in White Plains from Oct. 31 through Nov. 8, on behalf of more than 400,000 people whose personal records were compromised.
Somnia has offered free credit monitoring services to the victims, but the accusers claim that the company was negligent in not preventing the data breach and has been deceptive about the incident.
“It appears that Somnia is trying to completely avoid any and all responsibility for the data breach,” Irene Chabak of El Paso County, Texas claims in her complaint, and downplaying “the severity of the data breach.”
Somnia CEO and president Marc E. Koch did not respond to an email asking for a response to the allegations. A statement posted on the company’s website says “we deeply regret any concern this has caused our partners and patient community.”
Somnia is a privately held company established in 1996 that manages anesthesia services at more than a hundred surgery centers and medical offices across the country. It has at least 18 affiliates, according to the lawsuits, such as Mid-Westchester Anesthesia Services P.C. at Phelps Hospital in Sleepy Hollow, where 707 patient records were hacked.
The data breach was discovered in July and Somnia immediately responded, according to a “security incident” notice posted on its website. Systems were disconnected and cybersecurity experts were hired to determine the nature and scope of the incident.
Investigators found that some patient information “may have been compromised,” the notice states, including names, social security numbers, health insurance numbers, and diagnoses and treatments.
Somnia says its medical “entities” were notified to contact their patients. Later, the company sent letters to the patients with more information about the breach and instructions on enrolling in free credit monitoring services.
The company also reported the incident to law enforcement and the U.S. Department of Health and Human Services.
The lawsuits depict Somnia’s actions much differently.
The data breach happened either on July 11 or July 15, according to conflicting disclosures.
Somnia waited two months to notify government authorities and the affected patients, according to the Chabak complaint. Even then, the notifications were made “obliquely” through the affiliates.
More than three months after the data breach, ten affiliates notified the Montana attorney general in language that allegedly obscured Somnia’s responsibility. The notices failed to disclose exactly what information was stolen, how many patients were compromised, how long the data breach lasted and how quickly Somnia reacted.
The accusers claim that the data breach should never have succeeded.
The risk was known and foreseeable, the Chabak complaint states, and the breach was a result of Somnia’s “abject failure to implement and to maintain adequate and reasonable cybersecurity procedures.”
The possible consequences are dire. Data thieves can wreak havoc by using personal patient information to file fraudulent tax returns, open bank accounts, impersonate the victims and steal benefits.
The full impact may not become known for years, according to a complaint filed by Randy Polk of Los Angeles and Kelly Wilson of San Bernardino, California.
Both were patients of Palm Springs Anesthesia Services, a Somnia subsidiary that notified them of the breach on Oct. 27. Both claim they have received numerous calls and texts from scammers offering various medical services.
The plaintiffs are asking the court to certify their cases as class actions on behalf of everyone affected by the data breach. They are demanding unspecified damages and a court order requiring Somnia to secure, upgrade, test, and monitor its data systems and procedures.
