25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Patient Data Compromised in Cyberattacks on Sleep Specialists

Posted By on Dec 3, 2025

Two sleep specialists, Persante Health Care in New Jersey and SomnoSleep Consultants in Virginia, have recently disclosed security incidents that exposed patient information.

Persante Health Care Patients Informed About January 2025 Cyberattack

Persante Health Care, a Mount Laurel Township, NJ-based national provider of sleep and balance center management services to hospitals and physician practices, has announced a security incident that was detected on or around January 28, 2025.

Unusual activity was identified within its computer network and, assisted by third-party cybersecurity experts, it was determined that an unauthorized third party accessed its network between January 23 and January 28, 2025. During that time, files containing patient information may have been accessed or acquired. It took more than 8 months to review the affected files to determine whether patient data had been exposed. On October 3, 2025, the data review confirmed that personal and protected health information was involved.

The exposed data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, state identification number, passport number, government identification number, taxpayer identification number, date(s) of service, physician or facility name, patient account number, medical record number, financial account information, payment card number, medical device identifier(s), and/or biometric identifier(s).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Federal Bureau of Investigation was informed about the cyberattack, and Persante Health Care is assisting with the investigation. Additional measures have been implemented to reduce the risk of similar incidents in the future, and the affected individuals were notified by mail on November 26, 2025.

Update: December 22, 2025: The HHS Office for Civil Rights breach portal shows that this was a significant data breach, involving the protected health information of 111,815 individuals.

SomnoSleep Consultants’ Patients Affected by Business Associate Data Breach

Patients of Annadale, VA-based SomnoSleep Consultants have been notified about a security incident at a third-party billing vendor, Avosina Healthcare Solutions. The vendor detected unauthorized access to its network on July 29, 2025, in what appears to have been a ransomware attack. The Qilin ransomware group claimed responsibility for the attack. Avosina said it was able to restore its services from backups; therefore, no ransom was paid. The FBI was notified, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident and implement additional security measures to protect against further attacks.

The investigation confirmed that some documents were exfiltrated from its network. The analysis of those files confirmed that they contained patients’ names, addresses, medical information, and health insurance information. SomnoSleep said there was no unauthorized access to any files part of its electronic medical record system.

Avosina notified SomnoSleep about the attack on September 29, 2025, and on November 17, 2025, SomnoSleep provided additional information on the affected patients and delegated the responsibility for sending notification letters to its business associate. SomnoSleep said that no evidence has been found to indicate that any of the impacted patient data has been misused.

Avosina confirmed to SomnoSleep that steps have been taken to correct the vulnerability that was exploited by the threat actor, and other security measures have been implemented to protect against any further unauthorized network access. Internal data management protocols have also been reviewed. The breach was reported to the HHS Office for Civil Rights as involving the protected health information of 913 patients. In January 2026, Avosina Healthcare Solutions reported the breach to the HHS’ Office for Civil Rights as affecting 44,435 individuals.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist