Vendor Risk Management

Vendor Hack Tied to 20 Anesthesiology Practice Breaches

New York Firm At Center of Breaches Affecting About 430,000
Vendor Hack Tied to 20 Anesthesiology Practice Breaches

A hacking incident at a New York-based administrative services firm has resulted in a growing list of anesthesiology practices reporting breaches that so far have affected the personal information of about 430,000 people.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Somnia Inc., in Harrison, New York, is a physician-owned anesthesia management services firm that also appears to have corporate or leadership ties to at least some of the 20 practices that reported breaches.

Marc Koch, M.D., president and CEO of Somnia, is listed as CEO of Resource Anesthesiology Associates of VA LLC, which reported a breach affecting 4,200 individuals to state and federal regulators.

At least five entities operating in states including Virginia, California, Illinois, Pennsylvania and Kentucky with variations of the "Resource Anesthesiology Associates" name filed breach reports on Sept. 23 or Oct. 24 with the U.S. Department of Health and Human Services or to various state regulators, including the Maine attorney general, in recent weeks. Those five Resource Anesthesiology Associates breaches affected a total of more than 85,000 individuals.

Somnia did not immediately respond to Information Security Media Group's inquiry about whether Somnia has an ownership stake in any of the practices.

Overall, the largest Somnia-related breach was reported to HHS' Office for Civil Rights on Sept. 23 by Providence WA Anesthesia Services PC, affecting nearly 99,000 individuals.

Breach notification letters being mailed from the affected anesthesiology practices to their patients do not identify Somnia as the "management services organization" that experienced the hacking incident.

A Somnia spokeswoman confirmed to ISMG that the firm is the management services organization behind the recent breaches affecting "some" of its anesthesiology practice clients. Somnia declined to disclose how many clients and individuals in total were affected.

Anesthesia Practices Affected by the Somnia Hack

Breached Entity Individuals Affected
Providence WA Anesthesia Services 98,700
Palm Springs Anesthesia Services 58,500
Anesthesia Services of San Joaquin 44,000
Anesthesia Associates of El Paso 43,200
Resource Anesthesiology Associates 37,700
Resource Anesthesiology Associates of IL 18,300
Bronx Anesthesia Services 17,800
Resource Anesthesiology Associates of CA 16,000
Grayling Anesthesia Associates 15,400
Hazleton Anesthesia Services 13,600
Anesthesia Associates of Maryland 12,400
Somnia Pain Mgt of Kentucky 11,000
Upstate Anesthesia Services 9,100
Resource Anesthesiology Associates Of KY 9,000
Saddlebrook Anesthesia Services 8,900
Fredericksburg Anesthesia Services 7,100
Resource Anesthesiology Associates of VA 4,200
Lynbrook Anesthesia Services 3,800
Somnia, Inc 1,300
Mid-Westchester Anesthesia Services 700
Sources: U.S. Department of Health and Human Services, Maine attorney general's office

Breach Details

Somnia did not disclose to ISMG the type of hacking incident it experienced, including whether it involved ransomware or data exfiltration.

"Fortunately, there was very limited impact to IT services and no interruption to any anesthesiology providers’ ability to provide services to their patients," the Somnia spokesperson tells ISMG.

Notification letters being sent to patients by the anesthesia practices say that on July 11, their management services company identified "suspicious activity" on its systems.

"The management company immediately implemented its incident response protocols, disconnected all systems and engaged external cybersecurity experts to conduct a forensic investigation," the letters say.

The forensic investigation into the incident found that some information stored on the management company’s systems may have been compromised, the letters say.

Affected information includes individuals' name, Social Security number, and some combination of data including date of birth, driver’s license number, financial account information, health insurance policy number, medical record number, Medicaid or Medicare ID, and health information such as treatment and diagnosis.

An attorney who filed data breach reports to the Maine attorney general's office for nearly a dozen anesthesia practices affected by the hacking incident did not immediately respond to ISMG's request for additional details.

Somnia says that in the wake of the incident, the firm has taken steps to prevent a similar incident in the future. That includes conducting a global password reset, tightening firewall restrictions and implementing enhanced endpoint threat detection and response monitoring software on workstations and servers.

Growing Trend

The Somnia breach is among an ever-growing list of hacking and other data security incidents involving business associates that are affecting scores of covered entities and millions of their patients so far this year.

In fact, as of Friday, the largest breach posted on the HHS' Office for Civil Rights HIPAA Breach Reporting Tool website so far in 2022 was reported by business associate OneTouchPoint, a Wisconsin-based printing and mailing vendor.

That ransomware incident was reported as affecting more than 4.1 million individuals (see: Federal Tally Reaches 5,000 Health Data Breaches Since 2009).

"Covered entities must take business associate due diligence very seriously," advises regulatory attorney Paul Hales of the Hales Law Group.

A covered entity that entrusts protected health information to a business associate without confirming the vendor's data security and privacy programs and practices "seems like a textbook example of ‘willful neglect,’ subject to the highest HIPAA civil monetary penalties," he says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.