DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Why won’t they tell you that your data were leaked? Why doesn’t the government make them tell you?

Posted on October 3, 2022 by Dissent

For the past few years, DataBreaches has called out victims of cyberattacks who do not fully disclose how bad a breach was. Weasel words such as something “may have” happened when a victim knows damned well that it wasn’t just “may have” but did happen are just one example. Another example involves victims who claim that they have no evidence of misuse of patients’ data or expectation that data will be misused. Still, they never tell the patients that the data wasn’t just accessed, but it was acquired, and not only was it acquired, but it has now been dumped on the internet where anyone and everyone can freely access it.

Today’s case involves Family Medicine Centers (FMC) in Texas. On or about September 23, they issued a disclosure notice sent to state regulators and patients. The letter was issued in various forms by FMC Services, LLC depending on whether the individual was a patient or an employee, and if a patient, whether an adult or a minor or a deceased patient.

Here’s a statement from one notification:

What information was involved?
After the comprehensive forensic investigation into this incident concluded, we discovered that your name, mailing address, date of birth, Social Security number, and/or health information may have been exposed to the unauthorized party during the network compromise. We have had no reports of related identity theft as a result of this incident.

On September 23, FMC reported to HHS that 233,948 patients were affected by the incident they detected on July 26. Between detection and September 23, there were developments of note:

On August 21, the Vice Society ransomware team added FMC to their leak site. DataBreaches reached out to FMC but received no replies. DataBreaches reported on the incident on August 26, noting:

FMC has not replied to repeated inquiries despite acknowledging receipt of the questions. There are no reports from either entity on HHS’s public breach tool or the Texas Attorney General’s breach site. DataBreaches has also sent an inquiry to BSA Hospice of the Southwest, but no reply was immediately received.

DataBreaches also reported that Vice Society informed this site that their attempt to encrypt or lock FMC’s files was blocked and that they abandoned efforts to encrypt and just exfiltrated data.

Approximately one month later, FMC sends notifications that omit any mention that 272,000 files were acquired and then dumped on the dark web for anyone to grab.

And they will likely get away with it because, so far, HHS has not come out with any strong statements urging or demanding entities to be more transparent about the situation when there has been a breach resulting in exfiltration.

How can patients assess their risk and make informed decisions about what steps they may need to take to protect themselves if entities withhold information like the fact that (1) data was exfiltrated and (2) data was leaked publicly?

DataBreaches realizes that entities and their lawyers may disagree with the opinions expressed here. If one or more would like to write a reasoned explanation to justify not informing patients, DataBreaches will post it.

No related posts.

Category: Breach IncidentsHealth DataMalwareU.S.

Post navigation

← Landmark U.S.-UK Data Access Agreement Enters into Force
“CISA wasted our time, we waste CISA reputation” — Vice Society →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.