Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam.

On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’

After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge.

On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit survived a motion to dismiss and following mediation a settlement was agreed. Lincare has agreed to pay $875,000 to settle the case with no admission of liability. $550,000 will be paid in compensation for class members with a further $325,000 reserved to compensate class members who experience an eligible incident such as the filing of a fraudulent/false tax, opening of a fraudulent/false loan, or the opening of a fraudulent/false credit card.

W-2 Phishing Scams and How to Protect Against Them

Last year, more than 100 U.S. organizations fell victim to W-2 phishing scams during tax season, resulting in the disclosure of more than 120,000 employees’ W-2 information. Many of the employees whose personal information was exposed had their identities stolen and fraudulent tax returns filed in their names.

W-2 phishing scams are simple but highly effective. These Business Email Compromise (BEC) attacks involve a scammer posing as a senior executive. An email is sent to an employee in the finance, payroll, or HR department requesting copies of W-2 Forms of employees who have worked for the company in the past year.

In some cases, the email address of an executive is spoofed, although the most effective campaigns involve the use of the executive’s email account. Access to the account is usually gained through a phishing attack or by guessing a weak password using brute force tactics. The scam abuses trust in executives and the unwillingness of employees to question requests from senior executives.

Last year both the FBI and the IRS issued warnings over the sharp rise in BEC attacks during tax season, many of which targeted healthcare organizations and educational institutions. tracks reports of successful W-2 phishing attacks and detailed 145 attacks in 2016 and well over 100 in 2017. The true figure will undoubtedly be considerably higher as not all companies publicly announce that they have fallen for such a scam.

The cost of the attacks can be considerable for the victims and, as this settlement shows, the companies whose employees have been fooled by the scams.

Preventing attacks requires a combination of administrative and technical measures.

  • Spam filtering solutions can reduce the potential for phishing emails to be delivered to employees and can block spoofed emails, although they will not block emails sent from a compromised email account.
  • The workforce, especially finance, payroll, and HR employees, should receive security awareness training and be alerted to the threat.
  • Consider introducing internal policies that prohibit executives from making requests for W2 information via email.
  • Policies should be developed that require any request for W-2 information via email to be verified by phone or face to face before any data are provided.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.