Share this article on:
American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters.
There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed breach of employee information to have occurred this year.
The massive haul of W-2 Form data included employees’ names, Social Security numbers, birth dates, and addresses. An investigation suggests that the individual behind the campaign was based offshore.
In many cases, organizations discover they have been scammed soon after the email has been sent, allowing rapid action to be taken to limit the harm caused. However, that was not the case here.
The phishing email was sent to a payment processor for American Senior Communities in mid-January; however, the incident was not discovered for a month.
The employee’s error was only identified on February 17 after some of the nursing home chain’s staff members had reported that they had attempted to file their tax returns for the previous fiscal year, only to have those claims rejected as a tax return had already been submitted in their name.
Once it became clear that the tax fraud was made possible because of the actions of an employee, the IRS was notified. The incident has also been reported to the Indiana Office of Attorney General, Law enforcement and the Indiana Department of Revenue. It is unclear how many of the 17,000 employees have already had tax returns filed in their name by fraudsters.
All employees affected by the incident have been offered free credit monitoring service to protect them against identity theft and further fraudulent use of their information.