On September 23, 2022, FMC Services, LLC confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on FMC’s network. According to FMC, the breach resulted in the names, addresses, Social Security numbers, dates of birth and protected health information of certain patients and former patients being compromised. Recently, FMC sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.
What We Know About the FMC Services Data Breach
News of the FMC data breach comes from the company’s official filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as a notice posted on the FMC website. According to these sources, on July 26, 2022, FMC Services learned that it had been the target of a cyberattack. More specifically, management was informed that hackers had “attempted to infiltrate” FMC’s computer system and demanded a ransom.
In response, the company secured its systems, stopped all unauthorized access, and began working with an independent cybersecurity firm to investigate the incident. This investigation confirmed that the hackers were able to access certain files contained on the FMC network and that these files contained sensitive information belonging to some patients.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, FMC Services then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, mailing address, date of birth, Social Security number, and protected health information.
On September 23, 2022, FMC Services sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. According to FMC Service’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, 233,948 people were impacted by the breach.
FMC Services, LLC is a healthcare services company based in Amarillo, Texas. The company operates a number of clinics throughout the area, including FMC of Canyon, FMC of Coulter, FMC of Georgia, FMC 34th & Coulter, and CareXpress Urgent Care. FMC Services has a team of over 75 doctors spread across the company’s five locations.
Learn More About the Causes and Harms of Ransomware Attacks
The notice provided by FMC Services LLC mentioned that the company was the target of a ransomware attack. Indeed, ransomware attacks have been common in 2022, especially those that target healthcare providers.
A ransomware attack is a cyberattack that involves a hacker installing malware on a company’s computer network. Hackers can orchestrate a ransomware attack in a few different ways. Most frequently, these attacks are carried out by sending a phishing email to an employee in hopes of getting them to click on a malicious link. Once the employee clicks on the link, it downloads the malware onto their computer. The malware then encrypts the files on the computer and may infect other parts of the network.
Hackers may also try to trick an employee into giving the hackers their login credentials, which gives hackers access to the company’s computer network. Once hackers have access to the system, they install malware, locking out employees and management.
Hackers then send management a message, demanding the payment of a ransom to regain access to the network. In theory, once the company pays the ransom, the hackers decrypt their computer, which ends the attack—at least from the company’s perspective.
However, in many recent ransomware attacks, hackers have started to threaten to publish any exfiltrated data if the ransom goes unpaid. From the company’s perspective, they do not want to be seen as putting money over the safety of their customers’ information, so this adds to the incentive to pay a ransom. Not surprisingly, these new ransomware attacks have been very successful, resulting in hundreds of millions of dollars being paid to hackers.
However, if data makes its way onto the dark web, other criminals can bid on the data, which they can then use to commit identity theft and other frauds. Of course, while companies that are targeted in a ransomware attack are victims in some sense, the real victims of these attacks are the consumers whose information ends up in the hands of those looking to commit fraud.
Companies not only have the resources to pay an occasional ransom, but they also have the responsibility to implement robust data security systems designed to prevent these attacks in the first place.
The FMC Services, LLC data breach affected 233,948 people, including many former patients. If you received a letter from FMC Services, LLC explaining that your information was leaked in the recent ransomware attack, you are at a heightened risk of identity theft, and it is imperative that you understand what is at risk and how to protect yourself. To learn more about your options, including bringing a data breach lawsuit against FMC Services, please see our recent piece on the topic here.