The court has given final approval of a $2.4 million settlement of a class action lawsuit against Somnia Inc. in association with a cyberattack and data breach in 2022.
Somnia operates anesthesiology services at over 100 surgery centers throughout the country. In 2022, Somnia encountered a cyberattack that enabled hackers to access its system that stored patient data. The forensic investigation showed the compromise of the following data: names, birth dates, driver’s license numbers, Social Security numbers, financial account details, medical insurance policy numbers, medical record numbers, Medicare/Medicaid IDs, and medical data. The information, including PHI, of 450,000 individuals were exposed in the incident.
The breach prompted the filing of multiple lawsuits against Somnia, Palm Springs Anesthesia Services, Anesthesia Services of San Joaquin, Resource Anesthesiology Associates of IL, Anesthesia Associates of El Paso, and Resource Anesthesiology Association of NM. The lawsuits were combined into one lawsuit since they all alleged the same claims based on similar facts. The plaintiffs alleged that Somnia was negligent as it failed to use proper cybersecurity measures to protect the privacy and confidentiality of the information saved on its system, it did not adhere to industry safety requirements, and it was not HIPAA compliant.
The plaintiffs stated they had experienced harm as a result of the data breach, which include being at risk of fraud and identity theft. They likewise alleged the delay in sending data breach notification letters, which lacked important information regarding the data breach, such as the exact types of data stolen. The defendants rejected the allegations and did not admit to any wrongdoing, and stàted the plaintiffs’ claims lack merit. Nevertheless, Somnian made a decision to resolve the litigation to avoid extra legal fees and the risks associated with the lawsuit.
According to the terms of the settlement, Somnian created a $2,425,000 settlement fund to pay for claims filed by class members for unreimbursed, recorded out-of-pocket expenses that are plausibly linked to the data breach. The plaintiffs’ lawyers will be paid $1 million. The litigation expenses paid is $50,295. The 9 named plaintiffs will be paid a $1,000 service award each. What is left of the settlement fund will pay for the claims of class members. Each class member çould receive up to $2,500. If any funds remain after paying claims and expenses, these ŵill be distributed pro rata to the class members.