For the past few years, DataBreaches has called out victims of cyberattacks who do not fully disclose how bad a breach was. Weasel words such as something “may have” happened when a victim knows damned well that it wasn’t just “may have” but did happen are just one example. Another example involves victims who claim that they have no evidence of misuse of patients’ data or expectation that data will be misused. Still, they never tell the patients that the data wasn’t just accessed, but it was acquired, and not only was it acquired, but it has now been dumped on the internet where anyone and everyone can freely access it.
Today’s case involves Family Medicine Centers (FMC) in Texas. On or about September 23, they issued a disclosure notice sent to state regulators and patients. The letter was issued in various forms by FMC Services, LLC depending on whether the individual was a patient or an employee, and if a patient, whether an adult or a minor or a deceased patient.
Here’s a statement from one notification:
What information was involved?
After the comprehensive forensic investigation into this incident concluded, we discovered that your name, mailing address, date of birth, Social Security number, and/or health information may have been exposed to the unauthorized party during the network compromise. We have had no reports of related identity theft as a result of this incident.
On September 23, FMC reported to HHS that 233,948 patients were affected by the incident they detected on July 26. Between detection and September 23, there were developments of note:
On August 21, the Vice Society ransomware team added FMC to their leak site. DataBreaches reached out to FMC but received no replies. DataBreaches reported on the incident on August 26, noting:
FMC has not replied to repeated inquiries despite acknowledging receipt of the questions. There are no reports from either entity on HHS’s public breach tool or the Texas Attorney General’s breach site. DataBreaches has also sent an inquiry to BSA Hospice of the Southwest, but no reply was immediately received.
DataBreaches also reported that Vice Society informed this site that their attempt to encrypt or lock FMC’s files was blocked and that they abandoned efforts to encrypt and just exfiltrated data.
Approximately one month later, FMC sends notifications that omit any mention that 272,000 files were acquired and then dumped on the dark web for anyone to grab.
And they will likely get away with it because, so far, HHS has not come out with any strong statements urging or demanding entities to be more transparent about the situation when there has been a breach resulting in exfiltration.
How can patients assess their risk and make informed decisions about what steps they may need to take to protect themselves if entities withhold information like the fact that (1) data was exfiltrated and (2) data was leaked publicly?
DataBreaches realizes that entities and their lawyers may disagree with the opinions expressed here. If one or more would like to write a reasoned explanation to justify not informing patients, DataBreaches will post it.