A $2.4 million settlement over a 2022 data breach at Somnia Inc. has received its final court approval, marking another reminder of the legal and financial risks of healthcare cybersecurity failures.
What happened
A federal court has granted final approval for a $2.4 million class action settlement stemming from a 2022 cyberattack on Somnia Inc.. This company manages anesthesiology services at over 100 surgical centers across the U.S. The breach exposed the personal and medical information of more than 450,000 individuals, prompting lawsuits that have now been resolved through a consolidated settlement agreement.
Going deeper
Hackers accessed Somnia’s network in mid-2022, compromising a wide range of sensitive data. The affected information included names, Social Security numbers, birth dates, driver’s license details, financial accounts, insurance information, and medical records. Plaintiffs alleged that Somnia and its affiliates, including anesthesia service providers in Illinois, New Mexico, Texas, and California, failed to implement reasonable cybersecurity safeguards and violated HIPAA standards.
The lawsuits were consolidated due to overlapping claims. Plaintiffs also alleged delays in notification and insufficient detail in the breach disclosure letters. While the defendants denied all wrongdoing and liability, they agreed to the settlement to avoid continued litigation expenses and uncertainty.
In the know
The settlement fund totals $2,425,000, with $1 million allocated to attorneys’ fees and $50,295 for litigation expenses. Each of the nine lead plaintiffs will receive a $1,000 service award. Remaining funds will be distributed among class members who submit valid claims for documented, unreimbursed losses tied to the breach, with a cap of $2,500 per person. Any leftover funds will be divided pro rata among the claimants.
What was said
In court filings, the defendants maintained their compliance with security obligations but acknowledged that settling was the most efficient resolution. Plaintiffs argued that the breach placed them at serious risk of identity theft and fraud due to the highly sensitive nature of the compromised data.
The big picture
The case serves as a reminder that HIPAA compliance alone may not shield companies from litigation if stakeholders perceive lapses in data protection or breach response. With settlements reaching into the millions, the financial consequences for mishandled data security are rising, reinforcing the need for proactive measures, transparent breach disclosures, and advanced incident response planning.
FAQs
Why are healthcare data breaches like Somnia’s considered especially serious?
Because they often expose sensitive medical and identity information, increasing the risk of long-term identity theft, medical fraud, and privacy violations.
What made plaintiffs argue that Somnia’s response was inadequate?
They claimed the breach notification was delayed and lacked sufficient detail, preventing timely action to protect themselves from potential harm.
How common are multi-million dollar breach settlements in healthcare?
They’re becoming more frequent, especially when large volumes of protected health information (PHI) are compromised and HIPAA violations are alleged.
Does HIPAA compliance protect companies from lawsuits?
No, compliance helps, but it doesn’t shield organizations from legal action if stakeholders believe data security or breach response was mishandled.
What lessons does this case offer to other healthcare providers?
Invest in proactive cybersecurity, ensure transparent and timely breach responses, and prepare for legal scrutiny even if no wrongdoing is admitted.
Farah Amod
