Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit
FMC Services, LLC, which does business as Family Medicine Centers in Texas, has agreed to a $2,150,000 settlement to resolve claims related to a July 2022 data breach. Amarillo, TX-based Family Medicine Centers is a network of four primary care clinics in Amarillo and Canyon, and urgent care clinics operating under the name of CareXpress.
On or around July 26, 2022, a data security incident was identified. Unauthorized individuals accessed its network systems, which contained personally identifiable information (PII) and protected health information (PHI) such as names, mailing addresses, birth dates, and Social Security numbers, and health information. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. According to the lawsuit, notification letters were sent to 266,540 individuals.
Multiple lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit alleged that the defendant had implemented inadequate data security measures, resulting in an intrusion and the theft of sensitive data. The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment, and sought declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.
Family Medicine Centers denied and continues to deny all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability. In mid-2024, the parties began discussing the prospect of a settlement to bring the litigation to an end. A mediation session was scheduled but ended without a settlement being reached. Following extensive discovery and litigation, and a failed defendant’s Motion for Summary Judgment, the parties agreed to a second attempt at mediation, and the material terms of a settlement were agreed upon.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court. The final fairness hearing has been scheduled for September 15, 2026. The defendant has agreed to establish a $2,150,000 settlement fund, which will be used to pay benefits to the class members, once attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives have been deducted.
Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. If a claim for reimbursement of losses is not submitted, class members may instead file a claim for an alternative cash payment, which is estimated to be $75 per class member, although the amount depends on the remaining funds once the reimbursement claims have been paid.
In addition to one of the cash payments, a claim may be submitted for a two-year membership to a medical data monitoring service. Class members wishing to object to or exclude themselves from the settlement must do so by August 17, 2026. Claims must be submitted by August 31, 2026.
