Cyber Incident Victim: Family Medical Center Services

On July 26, 2022, FMC Services, LLC discovered it was targeted by a cyberattack involving unauthorized infiltration attempts of its computer systems, accompanied by ransom demands. The Texas-based healthcare services provider immediately secured its systems to halt further unauthorized access and engaged an independent cybersecurity firm to investigate the incident. The investigation confirmed that attackers successfully accessed certain files on FMC's network containing sensitive patient information. The compromised data included names, mailing addresses, dates of birth, Social Security numbers, and protected health information belonging to current and former patients. FMC conducted a review of the affected files to identify the specific information exposed and the individuals impacted. The company characterized the incident as a ransomware attack but did not disclose whether any ransom was paid or whether data was exfiltrated beyond system encryption.

FMC Services completed its forensic review and began notifying affected individuals on September 23, 2022, through mailed data breach letters. The company simultaneously reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, disclosing that 233,948 individuals were impacted. The breach affected patients across FMC's five clinics in Amarillo, Texas, including FMC of Canyon, FMC of Coulter, FMC of Georgia, FMC 34th & Coulter, and CareXpress Urgent Care. No specific technical details regarding the attack vector or duration of unauthorized access were disclosed beyond confirmation of ransomware involvement. The incident exposed patients to heightened risks of identity theft and fraud due to the sensitivity of the compromised data categories, particularly Social Security numbers and health information. FMC did not publicly disclose any operational disruptions or system downtime resulting from the attack beyond the initial containment measures implemented on July 26.