Data Breaches Announced by Open Arms Care; Elmwood Home Care

Posted by Steve Alder

Data breaches have been announced by the Tennessee-based disability care provider Open Arms Care Corporation and the Rhode Island and Massachusetts home healthcare provider, Elmwood Home Care.

Open Arms Care, Tennessee

Open Arms Care Corporation, a Brentwood, TN-based nonprofit provider of residential and therapeutic care services to individuals with disabilities, has recently disclosed a breach of its email tenant. Suspicious activity was identified in August 2025, indicative of unauthorized access to an email account. The forensic investigation confirmed that the account had been accessed by an unauthorized third party between June 2025 and August 2025.

The account was reviewed to determine the individuals affected and the types of data involved, and that process was completed on April 30, 2026. Up-to-date contact information was obtained, and notification letters were mailed to the affected individuals on June 9, 2026. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Medical diagnosis, treatment information, Social Security number, and/or health insurance information. The number of affected individuals has not been publicly disclosed at the time of writing.

Elmwood Home Care, Rhode Island/Massachusetts

Elmwood Home Care, a home healthcare provider serving patients in Rhode Island and Massachusetts, has recently announced a cybersecurity incident that resulted in unauthorized access to its computer systems between January 24, 2026, and February 13, 2026.

The forensic investigation determined that a threat group viewed or acquired files containing patient data such as names, dates of birth, Social Security numbers, driver’s license numbers, other demographic information, medical information, and health insurance information. Elmwood Home Care said it is reviewing its data security policies and procedures and is implementing additional administrative and technical safeguards to better protect its systems and sensitive data.

At the time of publication, the number of affected individuals had not been publicly disclosed. This appears to have been a ransomware attack, for which the LockBit5 ransomware group claimed responsibility.

The post Data Breaches Announced by Open Arms Care; Elmwood Home Care appeared first on The HIPAA Journal.

FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit

Posted by Steve Alder

FMC Services LLC, the operator of a network of primary care clinics in Amarillo and Canyon, Texas, experienced a cyberattack and data breach in 2022. The class action lawsuit that followed has recently been settled for $2.15 million.

The cyberattack was detected on July 26, 2022, and the forensic investigation confirmed that files had been exposed containing names, addresses, dates of birth, Social Security numbers, and health information. The FMC Services data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. Notification letters were mailed to 266,540 individuals.

Four individuals filed class action lawsuits in response to the exposure of their personal and protected health information. The lawsuits made similar claims and were consolidated into a single action – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit claimed that FMC Services had a duty to maintain reasonable and appropriate cybersecurity measures and breached that duty, resulting in the cyberattack and data breach. The lawsuit asserted claims for negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment.

FMC Services denies any wrongdoing; however, it began discussing a potential settlement in mid-2024, but the terms of a settlement could not be agreed upon during mediation. Following extensive discovery and litigation, and after the plaintiffs defeated the defendant’s motion for summary judgment, a second attempt at mediation resulted in the material terms of a settlement being agreed upon.

The settlement has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, FMC Services will establish a $2,150,000 settlement fund to cover benefits to the settlement class members, attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. There is an alternative cash payment for class members who elect not to submit a reimbursement claim. The alternative cash payment is estimated to be $75 per class member, but it will depend on the number of valid claims.

All class members are also entitled to claim two years of medical data monitoring services, regardless of the cash payment they claim. The deadline for objection and exclusion is August 17, 2026, and claims must be submitted by August 31, 2026. The final fairness hearing has been scheduled for September 15, 2026.

The post FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit appeared first on The HIPAA Journal.