Employees Sue Home Health Provider After Phishing BreachHR Worker Allegedly Fell for Business Email Compromise Scam
A class action lawsuit claims that thousands of employees of a home healthcare services firm were harmed by the disclosure of their personal information in a breach earlier this year involving a business email compromise scam. Earlier, regulators fined the company for another breach.
See Also: Ransomware: The Look at Future Trends
Three former employees of Clearwater, Fla.-based Lincare Holdings Inc., a provider of in-home respiratory care and medical equipment, filed the lawsuit Monday in U.S. district court.
The suit alleges negligence and other charges related to a data breach resulting from a Lincare human resources worker in February 2017 falling for a phishing scam involving a fake email pretending to be from a Lincare executive that requested W-2 tax form information about company employees.
The lawsuit alleges that the Lincare HR employee, "rather than confirming or authenticating the validity of the request, compiled the requested information and complied with the request by emailing the name, address, Social Security number, earnings information and more of current and former Lincare employees to the purported Lincare executive."
Lincare, which has about 14,000 employees in about 1,000 locations nationwide, didn't have "the most basic security," resulting in negligence, breach of fiduciary duty, breach of implied contract, and violation of the Florida Deceptive and Unfair Trade Practices Act, the suit alleges.
Plaintiffs are seeking damages as well as at least 25 years of free credit and identity monitoring.
Previous Lincare Case
The complaint also points out that the incident at the center of the suit isn't Lincare's first data breach.
In January 2016, the Department of Health and Human Services' Office for Civil Rights, imposed a $240,000 civil monetary penalty for Lincare's alleged failure to implement policies and procedures to safeguard records containing its patients' protected health information as required by HIPAA (see OCR Slaps Home Health Provider With Penalty).
In that previous incident, OCR's investigation found that a Lincare employee in December 2008 left behind documents containing the PHI of 278 patients after moving to a new residence.
That Lincare case was only the second time ever that OCR imposed a civil monetary penalty in a case involving "egregious violations" of HIPAA.
"Based upon this [previous] breach ... Lincare was placed on specific notice that it needed to implement and maintain more adequate and reasonable data security processes, controls, policies, procedures, and protocols to safeguard and protect the sensitive and confidential information with which it was entrusted," the complaint in the employees' lawsuit allege.
"At all times relevant to this complaint, Lincare should have been, and was, actually advised by skilled lawyers, employees and other professionals who were, or should have been knowledgeable about protection and storage of PII."
The employees' lawsuit alleges that due to Lincare's failure to implement "the most basic of safeguards and precautions," sensitive personally identifiable information of Lincare's current and former employees "is now in the possession of an unknown third party or parties who have already used the PII for illegal purposes and will be able to continue doing so indefinitely."
The suit also alleges that "this unauthorized third party or parties gained access to the PII of plaintiffs and the class members for the purpose of using the information for improper and unlawful purposes, including identity theft, the filing of false tax returns, and the submission of fraudulent student loan applications and fraudulent credit applications."
On or about Feb. 10, Lincare notified current and former employees via email about the Feb. 3 data breach, the lawsuit says. The notice stated that the company was offering its employees two years of free credit and identity monitoring.
The email also noted that the HR worker involved in the incident, as well as other HR and payroll staff, had been retrained on the "importance of remaining vigilant about these types of criminal attacks," according to the lawsuit.
On April 21, Lincare subsequently sent to its employees a letter "which warned that current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education's Free Application for Federal Student Aid."
The suit says plaintiffs have received no further documentation or communication from Lincare since the April 21 letter.
The lawsuit claims that the breach could have been prevented had Lincare taken several information security steps, including:
- Implementing securely configured mail services "with advanced spam filters so that the phishing email never reached the HR employee's inbox in the first place";
- Conducting sufficient information security training;
- Implementing data security controls, policies and procedures regarding HR employees' access to employee PII, including policies that prohibited HR employees from having on-demand access to all of its employees' PII;
- Implementing multiple layers of computer-system security, scrutiny and/or authentication;
- Implementing measures to ensure that employee PII was never sent in an unencrypted form.
A Lincare spokeswoman declined to comment on the case.
A Rare Legal Action
Lawsuits by employees against healthcare entities in the wake of breaches are uncommon.
"I do not recall any other class actions from employees over a data breach of employees' personal information, although admittedly I have not researched the point," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
The lawsuit against Lincare offers some important lessons for other organizations, Greene says.
"Companies must emphasize phishing training and consider whether technical solutions can further reduce risk," he says. "HR is particularly at high risk due to an outbreak of W-2 scams, so employers may want to provide extra training and testing of employees with access to W-2 data."