Active breach tracker Harrison, New York Disclosed February 14, 2025

Somnia, Inc. Data Breach 2025: 19,069 Affected by Hacking/IT Incident at NY Anesthesia Management Business Associate

Somnia, Inc. — a New York-headquartered anesthesia management business associate — filed a HIPAA breach notification with HHS OCR on February 14, 2025 reporting 19,069 affected individuals from a Hacking/IT Incident at a Network Server. Notification letters were mailed February 27, 2025. Class-action investigations are underway. Here is what is known and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 21, 2024

Suspicious activity identified in Somnia's email environment

Dec 10, 2024

Investigation confirms protected health information was present in compromised accounts

Feb 14, 2025

HHS OCR breach report filed (Hacking/IT Incident at Network Server; business associate)

Feb 27, 2025

Individual notification letters mailed to affected individuals

Mar 1, 2025

Plaintiffs' firms (Strauss Borrelli PLLC, Console & Associates P.C., and others) announce class-action investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Date of birth

02

Health records

Don't expire and can't be reissued

Health information (diagnosis, treatment, condition)

03

Contact & insurance

Phishing + targeted scams

Name Address Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Somnia, Inc. is a physician-owned anesthesia management company headquartered in Harrison, New York that provides turnkey clinical and administrative services to anesthesiology groups and hospital anesthesia departments nationwide. As a vendor handling protected health information on behalf of healthcare providers, Somnia is a HIPAA business associate, which is why your notification may arrive from Somnia even though you have likely never interacted with the company directly. You almost certainly know it only through the hospital, surgery center, or anesthesia practice that engaged it for billing, scheduling, or practice-management support.

Timeline

  • November 21, 2024 — Somnia identified suspicious activity in its email environment and launched an investigation with outside cybersecurity counsel.
  • December 10, 2024 — Forensic review confirmed that protected health information was present in the compromised accounts.
  • February 14, 2025 — Somnia filed a HIPAA breach report with the HHS Office for Civil Rights, classified as a Hacking/IT Incident at a Network Server, with 19,069 individuals affected and a business associate flagged on the entry.
  • February 27, 2025 — Somnia began mailing individual notification letters to affected individuals, with credit-monitoring offered where Social Security numbers were involved.
  • Early March 2025 onward — Multiple plaintiffs’ firms (Strauss Borrelli PLLC, Console & Associates P.C., and others) opened public class-action investigations soliciting affected individuals.

What was exposed

Somnia’s notification letters and the law-firm investigation pages name a specific list of data elements:

  • Full name
  • Social Security number
  • Address
  • Date of birth
  • Health information (diagnosis, treatment, condition)
  • Health insurance information

Not every affected individual had every element exposed. Your notification letter is authoritative for what was in your specific record.

Who notifies you (and why it is not your hospital)

This is a business-associate incident. Somnia, Inc. is the anesthesia management vendor that held the data on behalf of one or more anesthesiology practices or hospital anesthesia departments. The notification arrives from Somnia, not from the hospital where you had a procedure or the anesthesiologist whose name appeared on your bill. If you do not recognize Somnia on the envelope, that is normal. Confirm the letter is legitimate by calling the number printed on the notice or by checking somniainc.com for the published incident reference, rather than calling a number sent over text or email.

Class-action posture

Several plaintiffs’ firms publicly opened class-action investigations within weeks of the February 27, 2025 notification mailing, including Strauss Borrelli PLLC, Console & Associates P.C., and others tracked on databreachclassaction.io. These investigations typically lead to one or more consolidated complaints filed in the U.S. District Court for the Southern District of New York, where Somnia is headquartered. (A separate, earlier 2022 Somnia incident was resolved in April 2025 by a $2.4 million settlement; the 2025 incident on this page is distinct and unresolved.) If a consolidated case is filed and certified, affected individuals will be auto-included as class members unless they opt out. No payment is required to participate.

What to do

  1. Open the letter carefully. It will identify which of the six data categories above were in your record and whether complimentary credit-monitoring and identity-theft restoration is offered. Enroll if it is — there is no reason not to.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. With a Social Security number in scope, this is the single highest-leverage protective step and it is free.
  3. Pull your credit reports at annualcreditreport.com and review for unfamiliar accounts.
  4. Save the notification letter. Class-action settlements typically require it as proof of class membership.
  5. If you had anesthesia at a facility that uses Somnia and never received a letter, call the number on Somnia’s incident page to confirm whether your records were in scope. Patients are often missed in the first notification wave.
  6. Restrict future records-sharing. HealthConsent files HIPAA restriction requests with your providers — including limits on which third-party vendors, billing services, and management companies receive your records — to reduce the next vendor-breach blast radius.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.