Vendor Hack Tied to 20 Anesthesiology Practice BreachesNew York Firm At Center of Breaches Affecting About 430,000
A hacking incident at a New York-based administrative services firm has resulted in a growing list of anesthesiology practices reporting breaches that so far have affected the personal information of about 430,000 people.
Somnia Inc., in Harrison, New York, is a physician-owned anesthesia management services firm that also appears to have corporate or leadership ties to at least some of the 20 practices that reported breaches.
Marc Koch, M.D., president and CEO of Somnia, is listed as CEO of Resource Anesthesiology Associates of VA LLC, which reported a breach affecting 4,200 individuals to state and federal regulators.
At least five entities operating in states including Virginia, California, Illinois, Pennsylvania and Kentucky with variations of the "Resource Anesthesiology Associates" name filed breach reports on Sept. 23 or Oct. 24 with the U.S. Department of Health and Human Services or to various state regulators, including the Maine attorney general, in recent weeks. Those five Resource Anesthesiology Associates breaches affected a total of more than 85,000 individuals.
Somnia did not immediately respond to Information Security Media Group's inquiry about whether Somnia has an ownership stake in any of the practices.
Overall, the largest Somnia-related breach was reported to HHS' Office for Civil Rights on Sept. 23 by Providence WA Anesthesia Services PC, affecting nearly 99,000 individuals.
Breach notification letters being mailed from the affected anesthesiology practices to their patients do not identify Somnia as the "management services organization" that experienced the hacking incident.
A Somnia spokeswoman confirmed to ISMG that the firm is the management services organization behind the recent breaches affecting "some" of its anesthesiology practice clients. Somnia declined to disclose how many clients and individuals in total were affected.
Anesthesia Practices Affected by the Somnia Hack
|Breached Entity||Individuals Affected|
|Providence WA Anesthesia Services||98,700|
|Palm Springs Anesthesia Services||58,500|
|Anesthesia Services of San Joaquin||44,000|
|Anesthesia Associates of El Paso||43,200|
|Resource Anesthesiology Associates||37,700|
|Resource Anesthesiology Associates of IL||18,300|
|Bronx Anesthesia Services||17,800|
|Resource Anesthesiology Associates of CA||16,000|
|Grayling Anesthesia Associates||15,400|
|Hazleton Anesthesia Services||13,600|
|Anesthesia Associates of Maryland||12,400|
|Somnia Pain Mgt of Kentucky||11,000|
|Upstate Anesthesia Services||9,100|
|Resource Anesthesiology Associates Of KY||9,000|
|Saddlebrook Anesthesia Services||8,900|
|Fredericksburg Anesthesia Services||7,100|
|Resource Anesthesiology Associates of VA||4,200|
|Lynbrook Anesthesia Services||3,800|
|Mid-Westchester Anesthesia Services||700|
Somnia did not disclose to ISMG the type of hacking incident it experienced, including whether it involved ransomware or data exfiltration.
"Fortunately, there was very limited impact to IT services and no interruption to any anesthesiology providers’ ability to provide services to their patients," the Somnia spokesperson tells ISMG.
Notification letters being sent to patients by the anesthesia practices say that on July 11, their management services company identified "suspicious activity" on its systems.
"The management company immediately implemented its incident response protocols, disconnected all systems and engaged external cybersecurity experts to conduct a forensic investigation," the letters say.
The forensic investigation into the incident found that some information stored on the management company’s systems may have been compromised, the letters say.
Affected information includes individuals' name, Social Security number, and some combination of data including date of birth, driver’s license number, financial account information, health insurance policy number, medical record number, Medicaid or Medicare ID, and health information such as treatment and diagnosis.
An attorney who filed data breach reports to the Maine attorney general's office for nearly a dozen anesthesia practices affected by the hacking incident did not immediately respond to ISMG's request for additional details.
Somnia says that in the wake of the incident, the firm has taken steps to prevent a similar incident in the future. That includes conducting a global password reset, tightening firewall restrictions and implementing enhanced endpoint threat detection and response monitoring software on workstations and servers.
The Somnia breach is among an ever-growing list of hacking and other data security incidents involving business associates that are affecting scores of covered entities and millions of their patients so far this year.
In fact, as of Friday, the largest breach posted on the HHS' Office for Civil Rights HIPAA Breach Reporting Tool website so far in 2022 was reported by business associate OneTouchPoint, a Wisconsin-based printing and mailing vendor.
That ransomware incident was reported as affecting more than 4.1 million individuals (see: Federal Tally Reaches 5,000 Health Data Breaches Since 2009).
"Covered entities must take business associate due diligence very seriously," advises regulatory attorney Paul Hales of the Hales Law Group.
A covered entity that entrusts protected health information to a business associate without confirming the vendor's data security and privacy programs and practices "seems like a textbook example of ‘willful neglect,’ subject to the highest HIPAA civil monetary penalties," he says.