Breach Notification , HIPAA/HITECH , Security Operations
Anesthesiology Services Firm Faces 5 Class Action LawsuitsAt Least 24 Medical Practices, 450,000 Patients Affected By Breach So Far
Proposed class action lawsuits are stacking up against a New York anesthesiology administrative services firm for its July hacking incident that affected about 450,000 patients nationwide.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
At least five complaints filed in the U.S. District for Southern New York allege that Somnia Inc. was negligent in failing to safeguard personally identifiable information and protected health information. The firm is a physician-owned anesthesia management services vendor that also appears to have corporate or leadership ties to at least some of the medical practices that reported breaches (see: Vendor Hack Tied to 20 Anesthesiology Practice Breaches).
The lawsuits allege the hacking incident has put affected individuals at risk for medical and identity theft and fraud. Plaintiffs' attorneys seek jury trials, damages and injunctive relief, including a court order for Westchester County-based Somnia to enhance its data security practices. Lead plaintiffs are patients who received breach notification letters from various anesthesiology practices whose data was compromised in the hacking incident.
As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website lists at least 24 entities that have reported major health data breaches since Sept. 23 tied to the Somnia incident.
Those breaches affected a total of more than 450,600 individuals. The largest of those breaches was reported by Providence WA Anesthesia Services PC on Sept. 23 as affecting nearly 99,000 individuals.
Breach notification letters mailed by the affected anesthesiology practices do not identify Somnia by name as the "management services organization" that experienced the hacking incident.
A lawsuit filed by one Irene Chabak alleges that Somnia is attempting to "avoid any and all responsibility for the data breach" by obscuring its involvement in the breach in the notification letters.
The suit goes on to accuse Somnia of failing to be fully transparent with patients by not revealing exactly what information was swept up in the breach and how many individuals are affected.
Somnia did not immediately respond to Information Security Media Group's request for comment on the lawsuits and for additional details about the incident.
So far in 2022, half of the 10 largest health data breaches posted to the HHS' Office for Civil Rights' breach reporting website involved business associates.
Jon Moore, senior vice president and chief risk officer at privacy and security consultancy Clearwater says he sees several lessons emerging from the Somnia case and similar recent vendor breaches affecting long lists of covered entity partners and their patients.
"First, an organization can outsource services but not its compliance obligations. In particular, the obligation to report publicly a breach of 500 records or more and the resulting fallout is on the covered entity," he says.
Second, while HIPAA only requires that a covered entity have a signed business associates agreement in place with its business associates, "the risks involved often justify a deeper and ongoing look at the BA's security and HIPAA compliance practices and the associated risk to the covered entity," Moore says.
Finally, with class action lawsuits regularly being filed in the aftermath of major breaches, organizations must plan accordingly, he says. That includes discussing with counsel what security activities might be best performed under attorney-client privilege, he adds.