HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.

The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker.

This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees.

Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data.

Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. Lincare previously offered 24 months of complimentary credit monitoring and identity theft protection services to employees affected by the incident.

The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email.

In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.

The risk of the PII being used to commit fraud is not theoretical. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”

The question that the courts will need to answer is to what extent Lincare is liable for the attack, whether additional safeguards should have implemented and whether there was an implied agreement that the company would keep employee information secure.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.