DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Why won’t they tell you that your data were leaked? Why doesn’t the government make them tell you?

Posted on October 3, 2022 by Dissent

For the past few years, DataBreaches has called out victims of cyberattacks who do not fully disclose how bad a breach was. Weasel words such as something “may have” happened when a victim knows damned well that it wasn’t just “may have” but did happen are just one example. Another example involves victims who claim that they have no evidence of misuse of patients’ data or expectation that data will be misused. Still, they never tell the patients that the data wasn’t just accessed, but it was acquired, and not only was it acquired, but it has now been dumped on the internet where anyone and everyone can freely access it.

Today’s case involves Family Medicine Centers (FMC) in Texas. On or about September 23, they issued a disclosure notice sent to state regulators and patients. The letter was issued in various forms by FMC Services, LLC depending on whether the individual was a patient or an employee, and if a patient, whether an adult or a minor or a deceased patient.

Here’s a statement from one notification:

What information was involved?
After the comprehensive forensic investigation into this incident concluded, we discovered that your name, mailing address, date of birth, Social Security number, and/or health information may have been exposed to the unauthorized party during the network compromise. We have had no reports of related identity theft as a result of this incident.

On September 23, FMC reported to HHS that 233,948 patients were affected by the incident they detected on July 26. Between detection and September 23, there were developments of note:

On August 21, the Vice Society ransomware team added FMC to their leak site. DataBreaches reached out to FMC but received no replies. DataBreaches reported on the incident on August 26, noting:

FMC has not replied to repeated inquiries despite acknowledging receipt of the questions. There are no reports from either entity on HHS’s public breach tool or the Texas Attorney General’s breach site. DataBreaches has also sent an inquiry to BSA Hospice of the Southwest, but no reply was immediately received.

DataBreaches also reported that Vice Society informed this site that their attempt to encrypt or lock FMC’s files was blocked and that they abandoned efforts to encrypt and just exfiltrated data.

Approximately one month later, FMC sends notifications that omit any mention that 272,000 files were acquired and then dumped on the dark web for anyone to grab.

And they will likely get away with it because, so far, HHS has not come out with any strong statements urging or demanding entities to be more transparent about the situation when there has been a breach resulting in exfiltration.

How can patients assess their risk and make informed decisions about what steps they may need to take to protect themselves if entities withhold information like the fact that (1) data was exfiltrated and (2) data was leaked publicly?

DataBreaches realizes that entities and their lawyers may disagree with the opinions expressed here. If one or more would like to write a reasoned explanation to justify not informing patients, DataBreaches will post it.

Category: Breach IncidentsHealth DataMalwareU.S.

Post navigation

← Landmark U.S.-UK Data Access Agreement Enters into Force
“CISA wasted our time, we waste CISA reputation” — Vice Society →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.