Somnia Inc. (Somnia) recently experienced a data security incident that may have impacted protected health information (PHI) of some of the anesthesia practices to whom we provide support services, as well as a limited amount of personal information for some Somnia employees. Somnia informed potentially impacted covered entities of the incident and has also notified impacted individuals of the incident.
What Happened?
In July 2022, Somnia identified suspicious activity on its systems. Somnia immediately implemented its incident response protocols, disconnected all systems, and engaged external cybersecurity experts to investigate to determine the nature and scope of the incident. The investigation found that some information stored on Somnia’s systems may have been compromised. The potentially compromised information was then reviewed to identify any personally identifiable or protected health information.
Somnia notified covered entities of this incident and has been working with covered entities to notify impacted individuals. Notice was provided to impacted individuals on September 22 and 23, 2022, through substitute notice. Somnia worked to obtain addresses for impacted individuals, and letters were subsequently sent to individuals on October 24, 2022, providing more information about the incident and instructions on enrolling in the free credit monitoring services offered through IDX.
Somnia has also reported this incident to law enforcement and the Department of Health and Human Services Office of Civil Rights.
What Information Was Involved?
Impacted information may include names, and some combination of the following data elements: Social Security number, date of birth, driver’s license number, financial account information, health insurance policy number, Medical Record Number, Medicaid or Medicare ID, and health information such as treatment and diagnosis info.
What Are We Doing?
Somnia has taken steps to prevent a similar incident in the future, including a global password change, tightening firewall restrictions, and deploying endpoint threat detection and response monitoring software on workstations and servers.
In addition, although there is evidence that any information has been misused, Somnia has arranged for impacted individuals to receive credit monitoring and identity protection services through IDX, the data breach and recovery services expert.
Impacted individuals are encouraged to enroll in the services offered through IDX and should monitor their credit reports and financial statements for suspicious activity. Individuals can contact 1-833-764-2864 with questions or to find out if they were affected by this incident.
The privacy and protection of all information in our control is a matter we take very seriously, and we deeply regret any concern this has caused our partners and patient community.