AMARILLO, Texas (KAMR/KCIT) — Earlier this month, a consolidated class action petition was released in the 320th Judicial District Court of Potter County after four civil lawsuits against Family Medicine Centers Services, LLC (FMC Services) were combined into one back in November.

According to previous reports by MyHighPlains.com, the four lawsuits, along with the consolidated class action petition, were in response to a cybersecurity attack against FMC Services earlier this year.

The four lawsuits were initially filed against FMC Services by Deneli Sharber, Shanna Byers, Lyle Schafer and Jennifer Hart, formerly Jennifer Holman. According to the most recent petition, the lawsuit also consists of other class members, more specifically “all persons whose personally identifiable information or personal health information was compromised in the Data Breach by unauthorized persons, including all persons who were sent a notice of the Data Breach.”

On July 26, officials with FMC said they detected and stopped a network data security incident, exposing personally identifiable information and protected health information for more than 230,000 community members, including name, mailing address, date of birth, Social Security number and other protected health information.

Officials stated that FMC reported the breach to the state attorneys general and the United States Department of Health and Human Services on Sept. 23, while also posting a notice of the data breach on its website.

The four lawsuits, which covered essentially the same ground, were combined in Potter County District Court on Nov. 16. The Consolidated Class Action Petition was filed in the court on Dec. 15.

“Plaintiffs bring this class action against FMC for its failure to secure and safeguard the personally identifiable information and personal health information of approximately 233,948 individuals…,” the petition read. “…FMC owed a duty to Plaintiffs and Class members to implement and maintain reasonable and adequate security measures to secure, protect and safeguard their PRR/PHI against unauthorized access and disclosure. FMC breached that duty by, among other things, failing to implement and maintain reasonable security procedures and practices to protect its patients’ PII/PHI from unauthorized access and disclosure.”

In the combined petition, the plaintiffs alleged various causes of action in this lawsuit against FMC Services including negligence and alleged violations of the HIPAA Privacy and Security Rules and section five of the FTC Act by not complying with industry standards.

The lawsuit alleges that FMC neglected to safeguard and protect the PII and PHI of their patients by “failing to design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security processes, controls, policies, procedures, protocols, and software and hardware systems” which resulted in the “unauthorized release, disclosure and dissemination” of that information.

The combined petition also alleges that FMC Services also breached its fiduciary duty and breached its implied contract with its patients. The lawsuit states that because patients gave FMC their PII/PHI in confidence and as a part of an implied contract to receive services from them, FMC had a duty to protect that information.

“FMC’s breach of its obligations of its implied contracts with Plaintiffs and Class members directly resulted in the Data Breach and the injuries that Plaintiffs and all other Class members have suffered from the Data Breach,” the lawsuit said.

The lawsuit also states that because it did not protect the information, FMC Services should not be permitted to “retain the money belonging to Plaintiffs and Class members” and that FMC “should be compelled to provide… all unlawful proceeds received by it as a result of the conduct and Data Breach alleged…”

The plaintiffs, along with the class members represented in the lawsuit, are seeking relief in this lawsuit, including:

• Awarding Plaintiffs and the Class appropriate monetary relief;
• Plaintiffs seek appropriate injunctive relief designed to prevent FMC from experiencing another data breach by adopting and implementing best data security practices to safeguard PII/PHI and to provide or extend credit monitoring services and similar services to protect against all types of identity theft and medical identity theft.

The plaintiffs are also asking for a trial by jury of the claims listed in this petition that are “so triable.”

According to previous reports, officials with FMC previously told MyHighPlains.com that they were unable to comment on the ongoing litigation. But they stressed that they are continuing to improve “the security of (their) network environment by monitoring the evolving cybersecurity landscape and taking appropriate actions.”