Somnia, Inc. Data Breach 2025: 19,069 Affected by Hacking/IT Incident at NY Anesthesia Management Business Associate
Somnia, Inc. — a New York-headquartered anesthesia management business associate — filed a HIPAA breach notification with HHS OCR on February 14, 2025 reporting 19,069 affected individuals from a Hacking/IT Incident at a Network Server. Notification letters were mailed February 27, 2025. Class-action investigations are underway. Here is what is known and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 21, 2024
Suspicious activity identified in Somnia's email environment
Dec 10, 2024
Investigation confirms protected health information was present in compromised accounts
Feb 14, 2025
HHS OCR breach report filed (Hacking/IT Incident at Network Server; business associate)
Feb 27, 2025
Individual notification letters mailed to affected individuals
Mar 1, 2025
Plaintiffs' firms (Strauss Borrelli PLLC, Console & Associates P.C., and others) announce class-action investigations
Nov 21, 2024
Suspicious activity identified in Somnia's email environment
Dec 10, 2024
Investigation confirms protected health information was present in compromised accounts
Feb 14, 2025
HHS OCR breach report filed (Hacking/IT Incident at Network Server; business associate)
Feb 27, 2025
Individual notification letters mailed to affected individuals
Mar 1, 2025
Plaintiffs' firms (Strauss Borrelli PLLC, Console & Associates P.C., and others) announce class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Somnia, Inc. is a physician-owned anesthesia management company headquartered in Harrison, New York that provides turnkey clinical and administrative services to anesthesiology groups and hospital anesthesia departments nationwide. As a vendor handling protected health information on behalf of healthcare providers, Somnia is a HIPAA business associate, which is why your notification may arrive from Somnia even though you have likely never interacted with the company directly. You almost certainly know it only through the hospital, surgery center, or anesthesia practice that engaged it for billing, scheduling, or practice-management support.
Timeline
- November 21, 2024 — Somnia identified suspicious activity in its email environment and launched an investigation with outside cybersecurity counsel.
- December 10, 2024 — Forensic review confirmed that protected health information was present in the compromised accounts.
- February 14, 2025 — Somnia filed a HIPAA breach report with the HHS Office for Civil Rights, classified as a Hacking/IT Incident at a Network Server, with 19,069 individuals affected and a business associate flagged on the entry.
- February 27, 2025 — Somnia began mailing individual notification letters to affected individuals, with credit-monitoring offered where Social Security numbers were involved.
- Early March 2025 onward — Multiple plaintiffs’ firms (Strauss Borrelli PLLC, Console & Associates P.C., and others) opened public class-action investigations soliciting affected individuals.
What was exposed
Somnia’s notification letters and the law-firm investigation pages name a specific list of data elements:
- Full name
- Social Security number
- Address
- Date of birth
- Health information (diagnosis, treatment, condition)
- Health insurance information
Not every affected individual had every element exposed. Your notification letter is authoritative for what was in your specific record.
Who notifies you (and why it is not your hospital)
This is a business-associate incident. Somnia, Inc. is the anesthesia management vendor that held the data on behalf of one or more anesthesiology practices or hospital anesthesia departments. The notification arrives from Somnia, not from the hospital where you had a procedure or the anesthesiologist whose name appeared on your bill. If you do not recognize Somnia on the envelope, that is normal. Confirm the letter is legitimate by calling the number printed on the notice or by checking somniainc.com for the published incident reference, rather than calling a number sent over text or email.
Class-action posture
Several plaintiffs’ firms publicly opened class-action investigations within weeks of the February 27, 2025 notification mailing, including Strauss Borrelli PLLC, Console & Associates P.C., and others tracked on databreachclassaction.io. These investigations typically lead to one or more consolidated complaints filed in the U.S. District Court for the Southern District of New York, where Somnia is headquartered. (A separate, earlier 2022 Somnia incident was resolved in April 2025 by a $2.4 million settlement; the 2025 incident on this page is distinct and unresolved.) If a consolidated case is filed and certified, affected individuals will be auto-included as class members unless they opt out. No payment is required to participate.
What to do
- Open the letter carefully. It will identify which of the six data categories above were in your record and whether complimentary credit-monitoring and identity-theft restoration is offered. Enroll if it is — there is no reason not to.
- Place free credit freezes at Equifax, Experian, and TransUnion. With a Social Security number in scope, this is the single highest-leverage protective step and it is free.
- Pull your credit reports at
annualcreditreport.comand review for unfamiliar accounts. - Save the notification letter. Class-action settlements typically require it as proof of class membership.
- If you had anesthesia at a facility that uses Somnia and never received a letter, call the number on Somnia’s incident page to confirm whether your records were in scope. Patients are often missed in the first notification wave.
- Restrict future records-sharing. HealthConsent files HIPAA restriction requests with your providers — including limits on which third-party vendors, billing services, and management companies receive your records — to reduce the next vendor-breach blast radius.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (Hacking/IT Incident, Network Server, business associate, 19,069 affected, reported February 14, 2025).
- Somnia, Inc. corporate homepage — entity contact channels and incident reference.
- Strauss Borrelli PLLC — Somnia Data Breach Investigation — corroborates timeline, exposed data categories, and announces a class-action investigation.
- Console & Associates P.C. — Somnia Data Breach Investigation — corroborates February 14, 2025 OCR filing and February 27, 2025 notification mailing, and announces a class-action investigation.
- ClaimDepot summary — third-party aggregator confirming exposed data categories and notification timeline.
- DataBreachClassAction.io — tracks the active class-action investigation posture.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal (primary source)
- Somnia, Inc. — corporate homepage
- Strauss Borrelli PLLC — Somnia Data Breach Investigation
- Console & Associates P.C. — Somnia Data Breach Investigation
- ClaimDepot — Somnia, Inc. Data Breach summary
- DataBreachClassAction.io — Somnia Data Breach Class Action Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.