AMARILLO, Texas (KAMR/KCIT) — Four civil lawsuits involving Family Medicine Centers, listed as FMC Services, LLC, have been combined in the 320th Judicial District Court in Potter County, according to documents recently filed in Potter County District Court.

These lawsuits, according to their respective petitions obtained by MyHighPlains.com, are in response to a cybersecurity attack in July against Family Medicine Centers, where individuals claimed various pieces of personally identifiable information and protected health information was compromised from more than 230,000 community members.

According to a notice of data incident, posted on the Family Medicine Centers website, officials with FMC said they “detected and stopped a network data security incident” on July 26. While officials said at the time that they found “no evidence that any information (had) been specifically accessed for misuse,” they said that it was possible that various patients’ information, including dates of birth, social security numbers, names, addresses and protected health information may have been exposed.

After the incident, officials with FMC said that an investigation was conducted, helping determine “the scope and extent of the potential unauthorized access to our systems and any sensitive information.”

“To date, there have not been any reports of related identity theft or misuse of any patient information,” the notice read that was posted, and is currently still on FMC’s website. “However, out of an abundance of caution, FMC mailed notification letters to affected individuals on September 23, 2022. The letters included additional information about what occurred, and outlined the specific personal information that could have been exposed for the individual.”

In relation to that breach, four individuals filed lawsuits against FMC Services, LLC in Potter County District Court. The four different cases were originally listed as:

  • Deneli Sharber, individually and on behalf of all other similarly situated v. FMC Services, LLC;
  • Shanna Byers, individually and on behalf of all others similarly situated v. FMC Services, LLC d/b/a Family Medicine Centers;
  • Lyle Schafer, individually and on behalf of all others similarly situated v. FMC Services, LLC;
  • Jennifer Holman, individually and on behalf of all others similarly situated v. FMC Services, LLC d/b/a Family Medicine Centers.

On Nov. 16, the 320th Judicial District of Potter County District Court ruled for the four cases to be consolidated into one case, with the Sharber case serving as the lead case, according to documents filed in the court.

What do the original petitions say?

According to documents obtained by MyHighPlains.com from Potter County District Court, the four lawsuits all center around the same subject, a class action petition that claims that Family Medicine Centers failed “to properly secure and safeguard the private and sensitive information (FMC) collected, maintained, stored, analyzed and used to provide its services.”

According to the Sharber petition, the lead case in the consolidated litigation, the goal for the plaintiffs, in this case, is to “obtain damages, restitution and injunctive relief” from FMC Services, LLC, seeking remedies including “compensatory damages, reimbursement of out-of-pocket costs and injunctive relief including improvements to (FMC’s) data security systems, future annual audits and adequate credit monitoring services.”

Officials said in the Sharber petition that an investigation from FMC in September revealed that the private information of 233,948 individuals was accessed in this data breach, including health information, social security numbers, dates of birth and addresses. This includes those who are or were patients of FMC, those who received health-related or other services from FMC and gave FMC their personally identifiable information and protected health information.

The lawsuits claim that FMC should have been more aware of data security obligations, with a recent increase in data breaches in the healthcare industry.

The legal teams also said that the overall healthcare industry is a “susceptible target” for a data breach, being that hospitals “sit on a gold mine of sensitive personally identifiable information for thousands of patients at any given time,” according to the Schafer petition.

“FMC has not nearly disclosed all the details of the Data Breach and its investigation,” the Schafer petition claims. “Absent such disclosure, questions remain as to the full extent of the Data Breach, the actual data accessed and disclosed, and what measures, if any, FMC has taken to secure the (personally identifiable information and protected health information) still in its possession. Plaintiff seeks to determine the scope of the data breach and the information involved, obtain relief that redressed the harm to Plaintiff’s and Class Members’ interest and ensure that FMC puts proper measures in place to prevent similar incidents from occurring in the future.”

The petitions claim that because of this breach, FMC violated the Health Insurance Portability and Accountability Act and breached the company’s obligations to the plaintiffs and all the patients this data breach impacted.

In the petitions, the causes of action that the plaintiffs are claiming against FMC in these respective lawsuits range from negligence to a breach of fiduciary duty and breach of implied contract. The goal of the lawsuit is for the plaintiffs, and the related parties in the lawsuit, to be awarded appropriate monetary relief, injunctive and declaratory relief along with reasonable attorneys’ fees. Each of the petitions also called for a trial by jury, “of all claims… so triable.”

What’s next?

After the order to consolidate the cases was approved in mid-November, the documents that have since been filed include notifying the attorneys and the parties of the order of the consolidation.

Other documents that have been filed in this case include motions for attorneys to appear in the case “Pro Hac Vice.” This term is one the Legal Information Institute at the Cornell Law School defines as “a legal term for adding an attorney to a case in a jurisdiction in which he or she is not licensed to practice in such a way that the attorney does not commit unauthorized practice of law.”

MyHighPlains.com has reached out to Family Medicine Centers for comment on this story. Steve Smith, the chief executive officer for the FMC Health Network, provided the following statement, saying:

“We are unable to comment on ongoing litigation, however, we take the privacy and protection of our patients’ information very seriously. We are continuously improving the security of our network environment by monitoring the evolving cybersecurity landscape and taking appropriate actions.”

Steve Smith, CEO for the FMC Health Network

MyHighPlains.com has also reached out to Ben Barnow of Barnow and Associates, P.C. and Gary E. Mason of Mason LLP, the two attorneys who are serving as interim co-lead counsel on behalf of the plaintiffs in this consolidated action. The story will be updated if they respond to the request for comment.

This is a developing story. MyHighPlains.com will update this article as new information becomes available.

Download the KAMR Local 4 News app on the App Store or Google Play for updates on the go.
Sign up for MyHighPlains.com email updates to see top stories, every day.
Check with MyHighPlains.com to see the latest updates for local news, weather, and events.