The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

Posted By on May 18, 2018

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam.

On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’

After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge.

On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit survived a motion to dismiss and following mediation a settlement was agreed. Lincare has agreed to pay $875,000 to settle the case with no admission of liability. $550,000 will be paid in compensation for class members with a further $325,000 reserved to compensate class members who experience an eligible incident such as the filing of a fraudulent/false tax, opening of a fraudulent/false loan, or the opening of a fraudulent/false credit card.

W-2 Phishing Scams and How to Protect Against Them

Last year, more than 100 U.S. organizations fell victim to W-2 phishing scams during tax season, resulting in the disclosure of more than 120,000 employees’ W-2 information. Many of the employees whose personal information was exposed had their identities stolen and fraudulent tax returns filed in their names.

W-2 phishing scams are simple but highly effective. These Business Email Compromise (BEC) attacks involve a scammer posing as a senior executive. An email is sent to an employee in the finance, payroll, or HR department requesting copies of W-2 Forms of employees who have worked for the company in the past year.

In some cases, the email address of an executive is spoofed, although the most effective campaigns involve the use of the executive’s email account. Access to the account is usually gained through a phishing attack or by guessing a weak password using brute force tactics. The scam abuses trust in executives and the unwillingness of employees to question requests from senior executives.

Last year both the FBI and the IRS issued warnings over the sharp rise in BEC attacks during tax season, many of which targeted healthcare organizations and educational institutions. Databreaches.net tracks reports of successful W-2 phishing attacks and detailed 145 attacks in 2016 and well over 100 in 2017. The true figure will undoubtedly be considerably higher as not all companies publicly announce that they have fallen for such a scam.

The cost of the attacks can be considerable for the victims and, as this settlement shows, the companies whose employees have been fooled by the scams.

Preventing attacks requires a combination of administrative and technical measures.

  • Spam filtering solutions can reduce the potential for phishing emails to be delivered to employees and can block spoofed emails, although they will not block emails sent from a compromised email account.
  • The workforce, especially finance, payroll, and HR employees, should receive security awareness training and be alerted to the threat.
  • Consider introducing internal policies that prohibit executives from making requests for W2 information via email.
  • Policies should be developed that require any request for W-2 information via email to be verified by phone or face to face before any data are provided.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist