Sleep Management Institute Provides Notice of Security Incident

Sleep Management Institute and its affiliates (“Sleep Management”), a healthcare provider specializing in sleep disorder evaluation and treatment, confirmed that it experienced a data incident in February 2024 and will issue notices to affected individuals and relevant state and federal agencies about the incident.

On February 5, 2024, Sleep Management identified unusual activity on its computer systems with indicators consistent with a ransomware incident. Sleep Management immediately began an investigation and took steps to contain the situation, including by proactively taking certain systems offline, changing passwords, notifying federal law enforcement, and engaging cybersecurity and privacy professionals to assist. In addition to these steps, Sleep Management also added measures to improve the security of its systems and practices, including updating network configurations and firewalls, deploying a 24/7 managed detection and response solution, enabling content filtering on all devices, installing intrusion prevention systems and advanced malware protection to monitor and prevent malicious network traffic, and implementing a more secure VPN protocol to better safeguard access to Sleep Management networks. Over the past few weeks, Sleep Management has been working diligently to continue its investigation, bring systems back online as quickly and securely as possible, and add further technical safeguards to existing protections.

At this time, and due to the nature of the incident, the investigation is still ongoing into what data pertaining to individuals was affected. Currently, the investigation has found evidence that unauthorized actors accessed the Sleep Management systems from January 27, 2024 to February 6, 2024. While there is currently no indication that unauthorized actors have misused any information for identity theft or fraud in connection with this incident, Sleep Management is providing this notice to all individuals who may be potentially affected by this situation. 

While the investigation is ongoing, there is a possibility that the following types of information may have been impacted: name, address, date of birth, Social Security Number or taxpayer identification number, driver’s license number or other government-issued identification number, passport number, financial account information, payment card information, username and other credential information, digital signature, biometric data, mother’s maiden name, IRS-issued pin number, clinical or treatment information, medical provider name(s), medical procedure information, health insurance information, prescription information, and any other information on an individual that was created, used, or disclosed in the course of providing health care services. Note that this describes general categories of information identified as present within the affected systems and may have been accessed by unauthorized actors during the incident. However, specific individuals and the extent of the information involved is not yet known. Because this investigation is ongoing, Sleep Management is providing notice to all individuals who may be potentially affected by this situation.

Sleep Management encourages individuals to remain vigilant against incidents of identity theft and fraud, review account statements and explanation of benefits forms, and monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to 1 free credit report annually from each of the 3 major credit reporting bureaus. To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Additional information and resources are outlined below.

Moreover, information regarding identity theft, fraud alerts, security freezes, and the steps an individual can take to protect personal information may be obtained by contacting the consumer reporting agencies, the Federal Trade Commission, or the appropriate state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by calling 1-877-438-4338. Individuals should file a police report if they are a victim of identity theft or fraud. To file a report with law enforcement for identity theft, an individual will likely need to provide some proof that they have been a victim.