Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Respiratory Services Provider Lincare Settles Breach CaseEmployees Filed Class Action Lawsuit in 2017 Following Phishing Scam
In-home respiratory care provider Lincare Inc. has signed an $875,000 settlement of a class action lawsuit brought by current and former employees who alleged they were harmed by the disclosure of their personal information in a 2017 breach involving a business email compromise scam.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Clearwater, Florida-based company was previously fined by federal regulators after a different breach.
The case that was settled centered on a February 2017 incident involving a Lincare human resources worker who allegedly fell for a phishing scam involving a fake email pretending to be from a Lincare executive who requested W-2 tax form information about company employees (see Employees Sue Home Health Provider After Phishing Breach).
Lincare has about 14,000 employees nationwide in 1,000 locations, according to court documents.
Documents filed on May 14 in a Florida U.S. district court note that in addition to the monetary settlement of the lawsuit, Lincare will make available an additional two years of free credit and identity monitoring services to those affected by the breach after the initial two years of free monitoring ends.
The $875,000 monetary settlement includes two funds.
A $550,000 fund will be used to pay up to $1,000 to each individual who suffered eligible out-of-pocket losses not covered by the credit and identity monitoring protection offered by Lincare.
A $325,000 fund will be used to compensate those who experienced an "eligible incident." That includes personally identifiable information being used for fraudulent tax returns, the opening of false credit lines, or the filing of false unemployment claims traceable to the phishing attack. Those payments are capped at $500 per each eligible incident, and limited to only two eligible incidents per claimant.
Those affected by the breach, however, cannot file claims for both an eligible incident and an out-of-pocket loss.
Other Settlement Actions
Lincare also has agreed to implement and maintain security measures to protect the PII of its employees and former employees for a period of at least two years.
Under the settlement Lincare agreed to:
- Perform a HIPAA risk assessment at least every two years, as well as an annual risk analysis that identifies material internal and external risks to the security of employees' PII stored on Lincare's systems;
- Maintain a "head of IT" responsible for protecting the security of employees' PII as well as implementing and monitoring a data security incident response program and providing training on pertinent cybersecurity, risk management and data breach and security incident response issues;
- Continue to implement and maintain an updated spam filter as well as "updated email tags to assist in distinguishing emails emanating from external sources."
- Provide training and/or guidance to educate its workforce on an annual basis concerning information security issues, privacy awareness and the importance of protecting PII.
Lincare declined to comment on the lawsuit settlement. Attorneys representing plaintiffs in the class action settlement did not immediately respond to an ISMG request for comment.
The Department of Health and Human Services in 2016 slapped Lincare with a $240,000 HIPAA civil monetary penalty for a separate incident in 2008 involving an employee who abandoned documents containing the PHI of 278 patients after moving to a new residence (see OCR Slaps Home Health Provider With Penalty).
An HHS administrative law judge granted a summary judgment requiring Lincare to pay the civil monetary penalty in the 2008 breach involving a Lincare worker who allegedly removed patients' information from the company's office and left the information exposed.
That case against Lincare involving HHS' Office for Civil Rights was one of only three times federal regulators imposed a civil monetary penalty in a case involving "egregious" violations of HIPAA.
OCR generally imposes a civil monetary penalty only in those cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies.