Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit

Posted by Steve Alder

FMC Services, LLC, which does business as Family Medicine Centers in Texas, has agreed to a $2,150,000 settlement to resolve claims related to a July 2022 data breach. Amarillo, TX-based Family Medicine Centers is a network of four primary care clinics in Amarillo and Canyon, and urgent care clinics operating under the name of CareXpress.

On or around July 26, 2022, a data security incident was identified. Unauthorized individuals accessed its network systems, which contained personally identifiable information (PII) and protected health information (PHI) such as names, mailing addresses, birth dates, and Social Security numbers, and health information. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. According to the lawsuit, notification letters were sent to 266,540 individuals.

Multiple lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit alleged that the defendant had implemented inadequate data security measures, resulting in an intrusion and the theft of sensitive data. The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment, and sought declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.

Family Medicine Centers denied and continues to deny all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability. In mid-2024, the parties began discussing the prospect of a settlement to bring the litigation to an end. A mediation session was scheduled but ended without a settlement being reached. Following extensive discovery and litigation, and a failed defendant’s Motion for Summary Judgment, the parties agreed to a second attempt at mediation, and the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court. The final fairness hearing has been scheduled for September 15, 2026. The defendant has agreed to establish a $2,150,000 settlement fund, which will be used to pay benefits to the class members, once attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives have been deducted.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. If a claim for reimbursement of losses is not submitted, class members may instead file a claim for an alternative cash payment, which is estimated to be $75 per class member, although the amount depends on the remaining funds once the reimbursement claims have been paid.

In addition to one of the cash payments, a claim may be submitted for a two-year membership to a medical data monitoring service. Class members wishing to object to or exclude themselves from the settlement must do so by August 17, 2026. Claims must be submitted by August 31, 2026.

The post Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit appeared first on The HIPAA Journal.

Patient Data Exposed in Cyberattacks on Dental Practices

Posted by Steve Alder

Data breaches have been announced by Bridle Trails Family Dentistry, Verber Dental Group, and Bronsky Orthodontics. Across the three incidents, the protected health information of more than 32,700 individuals was exposed and potentially stolen.

Bridle Trails Family Dentistry

Bridle Trails Family Dentistry, a dental practice in Kirkland, Washington, has notified 20,976 current and former patients about a cybersecurity incident that occurred in the Fall of 2024 that exposed some of their personal and protected health information. According to the April 10, 2026, breach notification letters, an investigation was launched into a potential breach of its email environment, which confirmed that an employee’s email account was accessed by an unauthorized individual between November 19, 2024, and November 25, 2024. The account was reviewed, and Bridle Trails Family Dentistry learned on March 12, 2026, that the account contained a limited amount of personal and health information.

Data potentially compromised in the incident included full names, birth dates, Social Security numbers, reason for visit, medical provider name, clinical/treatment information, driver’s license numbers, taxpayer ID numbers, medical record numbers, and health insurance information. The impacted information varied from individual to individual. At the time of issuing notifications, Bridle Trails Family Dentistry was unaware of any misuse of data as a direct result of the incident. Bridle Trails Family Dentistry said it has taken many precautions to safeguard the personal and protected health information in its possession and continually evaluates and modifies its practices and internal controls.

Verber Dental Group

Verber Dental Group PC, a Camp Hill, Pennsylvania-based network of 14 dental practices, has announced a breach of the protected health information of up to 8,598 individuals. Suspicious activity was identified within its network environment on January 27, 2026. Immediate action was taken to ensure its network environment was secure, and an investigation was launched to determine whether sensitive data had been exposed.

The forensic investigation determined that an unauthorized third party had access to files containing patient data, which may have been viewed or acquired between January 26, 2026, and January 27, 2026. The files on the compromised parts of its network were reviewed and found to contain names, Social Security numbers, dates of birth, driver’s license numbers, medical information, and health insurance information. Notification letters are being mailed to the affected individuals, and steps have been taken to reduce the risk of similar incidents in the future.

Bronsky Orthodontics

Bronsky Orthodontics, an orthodontic practice in New York City, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,183 individuals. Suspicious activity was identified within an employee’s email account on October 16, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity specialists, Bronsky Orthodontics determined that a limited number of email accounts had been accessed by an unknown actor between August 18, 2025, and October 16, 2025.

The accounts were reviewed, and on March 11, 2026, Bronsky Orthodontics determined that they contained patient information such as names, dates of birth, contact information, dental and orthodontic treatment information, and insurance information. A limited number of individuals also had their financial account information, Social Security numbers, driver’s licenses, and/or other government-issued identification numbers exposed.   Policies and procedures related to data privacy and security are being reviewed as a result of the incident.

The post Patient Data Exposed in Cyberattacks on Dental Practices appeared first on The HIPAA Journal.