Posted On November 2, 2022 Consumer Privacy & Data Breaches
On October 24, 2022, Somnia Pain Management filed notice of a data breach with the Attorney General of Maine after sensitive information that had been entrusted to the company was compromised after an unauthorized party gained access to the computer system of Somnia’s “Management Services Organization.” Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, Medical Record Numbers, Medicaid or Medicare IDs, and health information such as treatment and diagnosis information. After confirming that consumer data was leaked, Somnia began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Somnia data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Somnia Pain Management.
The available information regarding the Somnia Pain Management breach comes from the company’s filing with the Attorney General of Maine. According to this source, on July 11, 2022, the unnamed Management Services Organization (“MSO”) for Somnia detected suspicious activity within its computer network, which prevented it from accessing certain files. In response, the MSO disconnected all systems and enlisted the assistance of outside cybersecurity professionals to assist with the company’s investigation. The investigation confirmed that some of the information on the MSO’s computer system was compromised, including sensitive patient data.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Somnia Pain Management began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Numbers, Medicaid or Medicare ID, and health information such as treatment and diagnosis information.
On October 24, 2022, Somnia Pain Management sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The Somnia Pain Management of Kentucky breach affected a reported 10,849 individuals.
The very same day, an entity by the name of “Somnia, Inc.” reported a data breach with the U.S. Department of Health and Human Services Office for Civil Rights, listing a total of 1,326 victims. At this point, it cannot be confirmed that Somnia, Inc. and Somnia Pain Management of Kentucky are related entities, although that remains a possibility.
Somnia Pain Management of Kentucky is a healthcare practice based in Lexington, Kentucky. The registered agent for Somnia Pain Management of Kentucky appears to be the same individual who founded Somnia, Inc.
Somnia, Inc. is a practice management company based in Harrison, New York. The company provides services exclusively to anesthesiologists and related healthcare professionals. The company operates in 13 states and works with over 200 payors. Somnia Pain Management employs more than 250 people and generates approximately $29 million in annual revenue.
U.S. data breach and consumer protection laws require companies to protect the consumer information in their possession. However, even when a company takes significant efforts—and especially when they do not—data breaches still happen. In some cases, companies that experience an otherwise preventable data breach may be liable for consumers’ losses related to identity theft and other frauds that follow in the breach’s wake.
However, just because a business gets hacked and the information in its possession ends up in the hands of cybercriminals doesn’t mean that the company is financially liable. Ultimately, data breach cases come down to whether a company was negligent leading up to the breach.
The framework of almost any negligence case requires a patient to prove the following:
When it comes to storing consumer data, there are several ways that a company might be negligent. However, in a third-party data breach such as the Somnia Pain Management of Kentucky breach, liability often rests with the party that experienced the cyberattack rather than the one entrusted with patient information. This is because unless Somnia Pain Management of Kentucky had reason to know that the unnamed MSO was incapable of securely storing patient data, it would be hard to make a case of negligence against Somnia Pain Management of Kentucky.
Third party data breaches pose unique challenges for victims seeking compensation for their losses, which is why it is especially important for victims to consult with an experienced data breach lawyer.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Somnia data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Somnia Pain Management (the actual notice sent to consumers can be found here):
On July 11, 2022, the Management Services Organization (“MSO”) for Somnia Pain Management of Kentucky identified suspicious activity that impacted its ability to access some of its systems. The MSO immediately implemented its incident response protocols, disconnected all systems, and engaged external cybersecurity experts to conduct a forensic investigation. The investigation found that some information stored on the MSO’s systems may have been compromised. These documents were then reviewed to identify any protected health information that may have been affected. The initial report identifying those individuals whose protected health information was contained in the documents was provided on September 22, 2022, and the analysis and review of the report recently completed.
Number of residents affected.
1 resident may have been affected and was notified of this incident. Letters were sent to potentially affected individuals via regular mail on October 24, 2022. Impacted information may include name and some combination of the following data elements: Social Security number, date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Number, Medicaid or Medicare ID, and health information such as treatment and diagnosis information.
Steps taken in response to the incident.
Since this incident, the MSO has, among other actions, conducted a global password reset, tightened firewall restrictions, and implemented endpoint threat detection and response monitoring software on workstations and servers. Additionally, impacted individuals were offered 12 months of credit monitoring and identity protection services through IDX.
Somnia Pain Management of Kentucky takes the security of the information in its control seriously and is committed to ensuring information within its control is protected. If you have any questions or need additional information, please do not hesitate to contact me at [Redacted] or (312) 651-4616.